block/log broadcast pings: ------------- access-list 198 deny icmp any 0.0.0.255 255.255.255.0 log route-map ICMP-DENY permit 10 match ip address 198 interface ATM3/0 ip policy route-map ICMP-DENY ------------- Here's someone working thier way through a CIDR block(source address removed to protect the inocent): Dec 13 15:32:01 e1-1.baltimore.mae-east.clark.net 169458: .Dec 13 20:32:00.878: %SEC-6-IPACCESSLOGDP: list 198 denied icmp x.x.x.x -> 207.196.61.255 (8/0), 1 packet Dec 13 15:32:11 e1-1.baltimore.mae-east.clark.net 169459: .Dec 13 20:32:10.410: %SEC-6-IPACCESSLOGDP: list 198 denied icmp x.x.x.x -> 207.196.63.255 (8/0), 1 packet Dec 13 15:32:17 e1-1.baltimore.mae-east.clark.net 169460: .Dec 13 20:32:16.406: %SEC-6-IPACCESSLOGDP: list 198 denied icmp x.x.x.x -> 207.196.98.255 (8/0), 1 packet On Mon, 22 Dec 1997, Joe Shaw wrote:
I had a customers link go down because they were the target of a smurf attack a few weeks ago, and when I was sniffing the link to find out what was going on, I found tons of packets coming from root nameservers, .gov sites, and other places. If I hadn't been at a terminal, I'd have done a better job of logging them when it happened. As it stands, I just turned off ICMP into my routers for a few hours and all was well. What I would have given to have had a dedicated sniffer so I could have done a better job of logging.
Regards, Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services Fortune for the day: "Speak softly and carry a +6 two-handed sword."
On Mon, 22 Dec 1997, Jamie Scheinblum wrote:
Has anyone seen an increase of broadcast pings, where the source route appears to be from a nameserver?
We took a look through our access-list logs, and it seems all of the attempted attacks during the last few days have had an IP-source of a nameserver.
Just thought it was curious.
Best regards,
Jamie Scheinblum - FASTNET(tm) / You Tools Corporation jamie@fast.net (610)954-5200 http://www.fast.net/ FASTNET - Business and Personal Internet Solutions