RE: Is anyone else seeing SMURF ?

["Dougal McWhinney" <dmcwhinney () qmag com au>]

Hi All,

We appear to be having a lot of ICMP packets from outside port 8 to port
0 on our mail server.  Our mail server is rejecting them, but is this
part of a SMURF attack??

Regards, 
Dougal. 


-----Original Message-----
From: Jamie Pratt [mailto:jamie () nucdc org] 
Sent: Wednesday, August 27, 2003 4:06 AM
To: security-basics () securityfocus com
Subject: Re: Is anyone else seeing SMURF ?

Unfortunately, this smurf business may be old, but not gone.. Worst part

is due to the nature of these attacks, you can't find the real source 
ip's - (thank the irc script-kiddies obviously.. who else would be so 
bored?) - they are apparently using these (and probably other) networks 
as 'smurf amplifiers'::

http://www.powertech.no/smurf

jamie

Logan Rogers-Follis - TNTNetworx.net wrote:

> Sean,
>    I see about 50+ of these a day if I leave my PC on all the
time....of 
> course they are alwasy stopped by my firewall, but there still
annoying 
> because they fill up my logs.  I see them from all different IP's even

> though I just recently moved myself into a new Class C netblock (no
one 
> else is in it except a Cisco Router).  So I would also be interested
to 
> know if anyone knows why, just cause it annoying :-P  Though I have 
> never bother to check there IP's for location (I know a good chunk of 
> the NEtblocks licensed to my region, so I'll see what I find.
>    Are these different IP's in the same Class B as you?
>
> Logan
>
> SVater () oh hra com wrote:
>
> > Over the last month, I increasing numbers of Smurf trying to come in 
> > on my
> > home firewall, all on Port 0.  From what I have seen & read, this is
a
> > pretty old vulnerability that has been patched. Is this a new hole? I

> > went
> > from seeing one in a month to 40 (different IPs) just this weekend
over a
> > 72 hr period. All coming from my local area (guessing just on the
info 
> > that
> > I pull from GeoBytes.com).
> >
> > Anyone else seeing this ?
> >
> > Sean
> >
> >
> > "Eagles may soar but weasels don't get sucked into jet engines."
Steven
> > Wright



------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
The information contained in this e-mail communication may be confidential.
You should only read, disclose, re-transmit, copy, distribute, act in
reliance on or commercialise the information if you are authorised to do so.
If you are not the intended recipient of this e-mail communication, please
immediately notify the sender directly (PH: +61 7 4920 0200) and then destroy
any electronic or paper copy of this message.

Virus protection procedures are in place at QMAG but the company does not
warrant that this e-mail is virus free and recommends that the recipient
undertake their own virus detection measures.
---------------------------------------------------------------------------
SAFETY IS EVERYONE'S RESPONSIBILITY


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------