nanog mailing list archives
Re: Broadcast pings.
From: Stephen Balbach <stephen () clark net>
Date: Tue, 23 Dec 1997 11:42:24 -0500 (EST)
block/log broadcast pings: ------------- access-list 198 deny icmp any 0.0.0.255 255.255.255.0 log route-map ICMP-DENY permit 10 match ip address 198 interface ATM3/0 ip policy route-map ICMP-DENY ------------- Here's someone working thier way through a CIDR block(source address removed to protect the inocent): Dec 13 15:32:01 e1-1.baltimore.mae-east.clark.net 169458: .Dec 13 20:32:00.878: %SEC-6-IPACCESSLOGDP: list 198 denied icmp x.x.x.x -> 207.196.61.255 (8/0), 1 packet Dec 13 15:32:11 e1-1.baltimore.mae-east.clark.net 169459: .Dec 13 20:32:10.410: %SEC-6-IPACCESSLOGDP: list 198 denied icmp x.x.x.x -> 207.196.63.255 (8/0), 1 packet Dec 13 15:32:17 e1-1.baltimore.mae-east.clark.net 169460: .Dec 13 20:32:16.406: %SEC-6-IPACCESSLOGDP: list 198 denied icmp x.x.x.x -> 207.196.98.255 (8/0), 1 packet On Mon, 22 Dec 1997, Joe Shaw wrote:
I had a customers link go down because they were the target of a smurf attack a few weeks ago, and when I was sniffing the link to find out what was going on, I found tons of packets coming from root nameservers, .gov sites, and other places. If I hadn't been at a terminal, I'd have done a better job of logging them when it happened. As it stands, I just turned off ICMP into my routers for a few hours and all was well. What I would have given to have had a dedicated sniffer so I could have done a better job of logging. Regards, Joe Shaw - jshaw () insync net NetAdmin - Insync Internet Services Fortune for the day: "Speak softly and carry a +6 two-handed sword." On Mon, 22 Dec 1997, Jamie Scheinblum wrote:Has anyone seen an increase of broadcast pings, where the source route appears to be from a nameserver? We took a look through our access-list logs, and it seems all of the attempted attacks during the last few days have had an IP-source of a nameserver. Just thought it was curious. Best regards, Jamie Scheinblum - FASTNET(tm) / You Tools Corporation jamie () fast net (610)954-5200 http://www.fast.net/ FASTNET - Business and Personal Internet Solutions
Current thread:
- Broadcast pings. Jamie Scheinblum (Dec 22)
- Re: [nanog] Broadcast pings. Stephen Balbach (Dec 22)
- Re: Broadcast pings. Joe Shaw (Dec 23)
- Re: Broadcast pings. Stephen Balbach (Dec 23)
- Re: Broadcast pings. Phil Howard (Dec 23)
- Re: Broadcast pings. Paul Ferguson (Dec 23)
- Re: Broadcast pings. Dean Anderson (Dec 23)
- Message not available
- Re: Broadcast pings. Jay R. Ashworth (Dec 24)
- <Possible follow-ups>
- Re: Broadcast pings. Al Roethlisberger (Dec 22)
- RE: Broadcast pings. Al Roethlisberger (Dec 22)
- RE: Broadcast pings. Jamie Scheinblum (Dec 22)