4 Jun
1998
4 Jun
'98
11:49 a.m.
John Fraizer wrote:
The thing that makes it "interesting" is the fact that most implementations DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in the neighborhood of 1.7Mb before they routed the netblock in question to a loopback interface on the 7507. The attacker was sending less that 300Kb of traffic and consuming 2Mb.
Any idea where that much amplification is coming from? For smurf with an echo request to a broadcast, its easy to see why there is so much amplification. But for a TCP or UDP packet to port 0, wouldn't just one port unreachable be sent back to the (spoofed) source? Or is it a broadcast TCP or UDP packet to port 0 ??? Thanks, Sean Butler, IBM Global Services