Security Basics mailing list archives
Re: Is anyone else seeing SMURF ?
From: Logan Rogers-Follis <logan () tntnetworx net>
Date: Tue, 26 Aug 2003 20:00:11 -0600
Ahh yes, quite nice. Ya here is some from local log. I run in a 24.233.xxx.xxx Class C and I have a 208.33.xxx.xxx Class C also assigned to myself so that is why you see (even though I am not using the 208.33.xxx.xxx - just have it build into the NIC) things in the 208 block.
08/26/2003 19:47:46 Blocked ICMP Incoming 24.223.196.xx 8 24.223.xx.xx 0 1 08/26/2003 19:47:03 08/26/2003 19:47:03 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.223.196.xx 8 24.223.xx.xx 0 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 1 08/26/2003 19:47:03 08/26/2003 19:47:03 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.224.13.xxx 8 24.223.xx.xx 0 1 08/26/2003 19:47:01 08/26/2003 19:47:01 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.224.13.xxx 8 24.223.xx.xx 0 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 1 08/26/2003 19:47:01 08/26/2003 19:47:01 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.221.9.xx 8 24.223.xx.xx 0 1 08/26/2003 19:47:00 08/26/2003 19:47:00 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.221.9.xx 8 24.223.xx.xx 0 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 1 08/26/2003 19:47:00 08/26/2003 19:47:00 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.220.32.xxx 8 24.223.xx.xx 0 1 08/26/2003 19:46:55 08/26/2003 19:46:55 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 24.220.32.xxx 8 24.223.xx.xx 0 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 1 08/26/2003 19:46:55 08/26/2003 19:46:55 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 208.35.181.xxx 8 208.33.xx.xxx 0 1 08/26/2003 19:46:54 08/26/2003 19:46:54 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100 08/26/2003 19:47:46 Blocked ICMP Incoming 208.35.181.xxx 8 208.33.xx.xxx 0 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 1 08/26/2003 19:46:54 08/26/2003 19:46:54 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_100
So, I am thinking this is something I need to setup and have filtered out, do you all agree?
Logan P.S. Dang those stupid script kiddies :-( Jamie Pratt wrote:
Unfortunately, this smurf business may be old, but not gone.. Worst part is due to the nature of these attacks, you can't find the real source ip's - (thank the irc script-kiddies obviously.. who else would be so bored?) - they are apparently using these (and probably other) networks as 'smurf amplifiers'::http://www.powertech.no/smurf jamie Logan Rogers-Follis - TNTNetworx.net wrote:Sean,I see about 50+ of these a day if I leave my PC on all the time....of course they are alwasy stopped by my firewall, but there still annoying because they fill up my logs. I see them from all different IP's even though I just recently moved myself into a new Class C netblock (no one else is in it except a Cisco Router). So I would also be interested to know if anyone knows why, just cause it annoying :-P Though I have never bother to check there IP's for location (I know a good chunk of the NEtblocks licensed to my region, so I'll see what I find.Are these different IP's in the same Class B as you? Logan SVater () oh hra com wrote:Over the last month, I increasing numbers of Smurf trying to come in on myhome firewall, all on Port 0. From what I have seen & read, this is apretty old vulnerability that has been patched. Is this a new hole? I went from seeing one in a month to 40 (different IPs) just this weekend over a 72 hr period. All coming from my local area (guessing just on the info thatI pull from GeoBytes.com). Anyone else seeing this ? Sean "Eagles may soar but weasels don't get sucked into jet engines." Steven Wright--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
---------------------------------------------------------------------------Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Current thread:
- Is anyone else seeing SMURF ? SVater (Aug 26)
- Re: Is anyone else seeing SMURF ? Logan Rogers-Follis - TNTNetworx.net (Aug 26)
- Re: Is anyone else seeing SMURF ? Jamie Pratt (Aug 26)
- RE: Is anyone else seeing SMURF ? Dougal McWhinney (Aug 27)
- Re: Is anyone else seeing SMURF ? Ramiro Alejos (Aug 27)
- Re: Is anyone else seeing SMURF ? Logan Rogers-Follis (Aug 27)
- Re: Is anyone else seeing SMURF ? Jamie Pratt (Aug 26)
- Re: Is anyone else seeing SMURF ? Tomas Wolf (Aug 27)
- Re: Is anyone else seeing SMURF ? blather (Aug 27)
- Re: Is anyone else seeing SMURF ? GSimmonds (Aug 28)
- <Possible follow-ups>
- RE: Is anyone else seeing SMURF ? Jeremy Counter (Aug 26)
- Re: Is anyone else seeing SMURF ? Logan Rogers-Follis - TNTNetworx.net (Aug 26)