Security Incidents mailing list archives

Re: smurf scanning

From: measl () MFN ORG (Missouri FreeNet Administration)
Date: Tue, 22 Feb 2000 22:06:21 -0600


On Sun, 20 Feb 2000, Jon Lewis wrote:

:I was scanning through some firewall logs for a client this weekend and
:noticed 40 scans in the past week for either 8/0/icmp x.y.z.0 or 8/0/icmp
:x.y.z.255 (they have a T1 to the net and a single /24).

Pretty common occurrence.  We see several of these a day from  sources
similar to yours, in addition to the "antiamplifier" sites.

: I guess the people who use smurf
:have to continually hunt for networks appropriate for smurf
:amplification...

No, only the cloobies do this.  The work is  already done and posted, but
they  don't know  where  to find it.

:Also present in the logs were people scanning the entire /24 for dns
:servers, and other less common protocols.  Are others seeing/noticing
:similar things?

Uh, only for about the last four years ;-)

          Most common:  smurf/fraggle scans
            Runner Up:  Winblows 137/139
Honorable Mentions to:  IMAP and RPC

        What I  find *really* interesting is the  distribution of the
scanners themselves...

          Most Common:  @home (usually testosterone enabled cloobies)
            Runner Up:  Italy :-) (Who knows why - they seldom answer)
 Dishonorable Mention:  Really Old Linux Boxen (usually root jobs)

:----------------------------------------------------------------------
: Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
: System Administrator        |  nestea'd...whatever it takes
: Atlantic Net                |  to get the job done.
:_________http://www.lewis.org/~jlewis/pgp for PGP public key__________

Yours,
J.A. Terranson
sysadmin () mfn org

--
If Governments really want us to behave like civilized human beings, they
should give serious consideration towards setting a better example:
Ruling by force, rather than consensus; the unrestrained application of
unjust laws (which the victim-populations were never allowed input on in
the first place); the State policy of justice only for the rich and
elected; the intentional abuse and occassionally destruction of entire
populations merely to distract an already apathetic and numb electorate...
This type of demogoguery must surely wipe out the fascist United States
as surely as it wiped out the fascist Union of Soviet Socialist Republics.

The views expressed here are mine, and NOT those of my employers,
associates, or others.  Besides, if it *were* the opinion of all of
those people, I doubt there would be a problem to bitch about in the
first place...
--------------------------------------------------------------------

Current thread:

Re: @home: Is *anyone* really home there???, (continued)
- - Re: @home: Is *anyone* really home there??? Omachonu Ogali (Feb 22)
  - Re: @home: Is *anyone* really home there??? Jim Littlefield (Feb 23)
    - Re: @home: Is *anyone* really home there??? James M. Atkinson, Comm-Eng (Feb 23)
    - Re: @home: Is *anyone* really home there??? David Brumley (Feb 23)
    - Re: @home: Is *anyone* really home there??? Philip R. Moyer (Feb 23)
    - Re: @home: Is *anyone* really home there??? Jim Littlefield (Feb 23)
    - Re: @home: Is *anyone* really home there??? Brad Griffin (Feb 24)
    - Re: @home: Is *anyone* really home there??? Jon Paul, Nollmann (Feb 26)
    - Re: @home: Is *anyone* really home there??? Thomas Molina (Feb 24)
    - IMAPD probe from 210.242.175.223 (sampa.org.tw) David A. Bandel (Feb 23)
- Re: smurf scanning Missouri FreeNet Administration (Feb 22)