Re: Smurf attack?

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Fri, 6 Oct 2000, Glenn Gillis wrote:

> 1) Should I consider this a smurf attack, and if so what is the appropriate reaction
> on my part? I assume the source address is likely spoofed?

Someone is attempting to see if you're a suitable relay, yes.

> So notifying the upstream provider (exodus.net) would seem to be a
> waste of time. Should I just notify my ISP?

I wouldn't bother notifying anyone.

> 2) Speaking of my ISP, shouldn't they be blocking IP-directed broadcasts?

The broadcast address depends on the subnet mask.  Breaking subnets on the
octet boundry is dead common, but not the only option.

> 3) The traffic at the bottom of the log snippet to UDP ports 35095, 27434, etc. to our
> broadcast address don't make any sense to me. Any suggestions?

With UDP, you can also mass-scan for listening services.

> Any enlightenment would be appreciated,

The ping from 216.200.210.88 is me.  You seem to be properly blocking
broadcast expansion.  You're clearn, I wouldn't worry about it any
further.  There's lots of other relay sites they can use.

                                                Ryan