Re: smurf attack

I think it's as usial - result of IRC flame: - I am a gury, you are a lamer; - hmm, wait a minute. - oyyyyy..,..... bum.... - you see - you can't smurf me, I am stronger... (raw, raw translation from Russion). Look for the broken servers used by the hackers... -:) On Mon, 7 Dec 1998, Jon Lewis wrote:

Date: Mon, 7 Dec 1998 01:19:17 -0500 (EST) From: Jon Lewis <jlewis@inorganic5.fdt.net> To: nanog@merit.edu Subject: smurf attack

FDT was on the receiving end of a roughly 1 hour smurf attack this evening. I'm told it was probably something to do with the takeover of some gay related IRC channels and that the attack was not isolated to FDT.

This has me really thinking again that someone needs to start up a blackhole BGP feed (similar to the MAPS RBL) for the purpose of annoying smurf-amp networks into cleaning up their nets.

Below is a list of networks (assumed to be /24's for convenience) and the number of unique IPs seen sending echo replies in each network during a 5 minute sample of the attack. It should be noted, most of these networks are likely to be far worse smurf amps than suggested by my numbers. Now that I think about it, it's obvious. Both our T1's to the net were totally filled by the attack, so lots of packets didn't get through. I've clipped all the nets showing only 1 host...but it's likely some of them really were smurf amps. The last one on the list, 200.130.98.0, for which I only saw 2 unique addresses in my tcpdump now results in:

2 packets transmitted, 2 packets received, +47 duplicates, 0% packet loss

Anyway...if these are your networks, clean them up before you get blackholed. I'll go and feed this list through my script that registers nets with www.powertech.no/smurf/ now.

Networks 128.221.106: 84 200.236.70: 74 202.184.25: 54 200.16.17: 53 202.184.22: 52 202.252.30: 50 10.0.3: 49 202.184.21: 49 202.184.17: 43 202.230.39: 41 203.237.51: 40 203.172.11: 28 203.64.35: 25 192.168.0: 22 200.9.99: 13 200.17.53: 12 200.13.16: 10 192.111.227: 8 203.172.22: 6 200.13.18: 6 203.64.34: 5 200.13.17: 4 200.13.19: 4 203.108.71: 3 200.13.20: 3 200.18.92: 3 91.0.0: 2 200.9.98: 2 200.13.26: 2 87.0.0: 2 200.130.98: 2

These are the hosts that took part in flooding FDT with icmp echo replies. Being listed here does not imply that your network is a smurf amp, but might help you track things down if you have smurf amp subnets. Even if your network only participated in a 1:1 ratio, you are listed here if you showed up in the 5 minutes I logged.

Hosts 202.205.0.77: 17345 200.236.71.2: 730 203.108.71.27: 720 200.236.70.60: 698 200.9.98.2: 611 200.9.99.134: 583 200.9.99.133: 577 200.9.99.135: 552 10.0.3.1: 549 200.130.98.47: 545 200.9.99.136: 543 10.0.3.253: 534 200.130.98.6: 517 10.0.3.10: 507 10.0.3.6: 505 200.9.99.155: 501 203.108.71.28: 494 10.0.3.199: 482 200.130.97.120: 480 10.0.3.217: 479 10.0.3.211: 468 200.9.99.132: 467 10.3.2.1: 465 10.0.3.5: 463 200.9.99.145: 459 200.9.98.3: 457 200.9.99.157: 455 210.235.156.15: 452 10.0.3.212: 445 200.9.99.158: 445 10.0.3.225: 426 10.0.3.213: 423 10.0.3.227: 419 200.9.99.190: 402 10.0.3.219: 401 10.0.3.226: 399 202.230.39.61: 393 10.0.3.228: 389 200.9.99.182: 387 10.0.3.216: 382 10.0.3.233: 376 10.0.3.215: 372 10.0.3.222: 367 10.0.3.210: 362 200.9.99.129: 360 10.0.3.214: 357 10.0.3.200: 354 10.0.3.209: 353 10.0.3.254: 352 10.0.3.207: 349 202.230.39.8: 348 200.10.128.162: 346 198.26.46.66: 346 10.0.3.205: 345 200.9.99.169: 342 10.0.3.249: 335 200.236.70.159: 331 192.111.227.140: 330 200.13.26.129: 325 200.16.205.26: 325 200.236.70.171: 317 10.0.3.2: 316 200.236.70.214: 316 200.236.70.185: 316 200.236.70.197: 315 10.0.3.221: 313 10.0.3.251: 312 192.111.227.174: 311 200.236.70.161: 309 192.111.227.20: 308 200.236.70.218: 307 200.236.70.220: 307 10.0.3.248: 307 200.236.70.151: 306 200.236.70.145: 305 200.236.70.222: 303 128.221.106.115: 302 200.236.70.200: 301 200.236.70.194: 297 200.236.70.147: 296 200.236.70.173: 296 10.0.3.252: 295 200.236.70.143: 294 200.236.70.149: 294 10.0.3.208: 294 192.111.227.87: 293 200.236.70.188: 293 200.236.70.192: 293 200.236.70.179: 292 128.221.106.5: 292 200.236.70.166: 291 200.236.70.176: 291 10.0.3.180: 290 192.111.227.7: 290 200.236.70.169: 286 128.221.106.252: 285 128.221.106.75: 283 10.0.3.250: 283 200.236.70.216: 281 200.236.70.208: 280 200.236.70.154: 279 200.236.70.163: 279 192.111.227.95: 273 10.0.3.241: 270 192.111.227.8: 269 128.221.106.168: 269 200.236.70.204: 267 10.0.3.223: 265 200.236.70.182: 264 192.111.227.100: 261 10.0.3.234: 261 128.221.106.4: 260 10.0.3.235: 258 10.0.3.236: 256 128.221.106.113: 252 200.236.70.141: 252 10.0.3.243: 242 10.0.3.242: 241 128.221.106.234: 238 10.0.3.218: 238 128.221.106.30: 237 10.0.3.239: 237 200.16.17.55: 235 200.33.211.194: 234 200.16.17.15: 234 128.221.106.240: 234 10.0.3.3: 233 128.221.106.150: 233 10.0.3.238: 233 128.221.106.253: 231 200.16.17.182: 230 128.221.106.3: 229 128.221.106.153: 226 200.16.17.139: 225 200.16.17.122: 223 128.221.106.42: 222 128.221.106.249: 222 128.221.106.87: 220 10.0.3.232: 220 128.221.106.186: 219 128.221.106.53: 218 128.221.106.102: 216 128.221.106.56: 215 128.221.106.122: 215 128.221.106.213: 214 128.221.106.29: 213 128.221.106.38: 211 128.221.106.99: 211 200.16.17.60: 211 10.0.3.237: 210 200.16.17.137: 209 128.221.106.121: 208 200.16.17.178: 207 128.221.106.98: 207 128.221.106.210: 207 200.236.70.156: 207 128.221.106.217: 206 128.221.106.69: 205 128.221.106.162: 205 128.221.106.180: 205 128.221.106.201: 204 128.221.106.130: 204 200.16.17.238: 203 128.221.106.44: 203 128.221.106.189: 203 200.16.17.14: 201 128.221.106.174: 201 128.221.106.21: 200 128.221.106.65: 200 128.221.106.154: 200 128.221.106.16: 200 128.221.106.126: 199 128.221.106.118: 198 128.221.106.214: 198 128.221.105.1: 198 200.16.17.1: 197 128.221.106.198: 197 200.16.17.134: 196 128.221.106.106: 193 128.221..106.127: 193 128.221.106.192: 193 128.221.106.199: 193 200.16.17.6: 192 128.221.106.159: 191 128.221.106.163: 189 200.16.17.94: 187 128.221.106.43: 186 200.16.17.82: 186 200.16.17.65: 182 128.221.106.124: 182 128.221.106.32: 180 128.221.106.27: 179 200.16.17.33: 178 128.221.106.112: 178 128.221.106.33: 177 200.16.17.16: 177 200.16.17.136: 176 128.221.106.51: 176 128.221.106.134: 172 10.0.3.229: 172 128.221.106.161: 170 128.221.106.166: 170 128.221.106.59: 169 200.16.17.18: 168 128.221.106.111: 168 128.221.106.92: 167 128.221.106.207: 165 128.221.106.184: 165 128.221.106.194: 165 128.221.106.206: 164 128.221.106.88: 163 200.33.210.18: 162 128.221.106.243: 161 128.221.106.58: 159 128.221.106.105: 159 128.221.106.208: 158 200.16.17.201: 157 200.16.17.38: 156 128.221.106.48: 155 200.16.17.9: 152 128.221.106.232: 152 128.221.106.246: 150 128.221.106.248: 149 200.16.17.202: 148 128.221.106.158: 147 200.16.17.210: 147 200.13.16.35: 146 128.221.106.209: 145 200.13.18.118: 144 200.16.17.88: 143 255.255.255.255: 142 128.221.106.247: 140 200.16.17.205: 140 200.16.17.211: 140 128.221.106.139: 139 200.16.17.214: 138 200.13.18.49: 137 200.236.70.186: 136 200.16.17.124: 134 200.16.17.247: 133 200.13.26.130: 133 200.13.16.12: 132 200.16.17.242: 131 200.13.18.23: 130 200.16.17.254: 130 200.16.17.68: 130 200.16.17.250: 129 200.16.17.123: 128 200.13.18.22: 127 128.221.106.36: 127 200.16.17.252: 127 200.16.17.249: 126 200.16.17.89: 125 200.16.17.245: 123 200.16.17.207: 123 200.16.17.246: 121 200.16.17.253: 120 200.13.17.2: 119 200.13.16.253: 119 200.16.17.8: 119 200.13.18.8: 118 200.13.18.130: 118 200.16.17.99: 115 200.16.17.100: 113 128.221.106.46: 110 200.13.16.251: 110 200.16.17.248: 107 200.13.16.32: 107 200.16.17.251: 104 200.236.70.196: 104 200.16.17.244: 102 200.13.16.235: 101 200.236.70.165: 98 200.13.16.7: 96 200.16.17.243: 95 200.236.70.203: 95 200.236.70.174: 95 200.17.53.86: 93 200.16.17.241: 92 200.236.70.157: 92 200.236.70.170: 92 200.236.70.202: 91 200.236.70.164: 90 200.236.70.175: 90 200.236.70.178: 90 200.236.70.198: 90 200.13.16.5: 88 200.236.70.180: 88 200.236.70.142: 87 200.236.70.183: 87 200.236.70.146: 86 200.236.70.155: 86 200.236.70.177: 86 200.236.70.201: 84 200.236.70.184: 84 200.236.70.187: 84 200.236.70.167: 83 200.236.70.195: 83 200.16.17.239: 82 200.18.92.148: 82 200.17.53.170: 82 200.236.70.152: 82 200.236.70.160: 82 200.130.103.69: 81 200.236.70.209: 81 200.236.70.162: 81 192.168.0.96: 80 192.168.0.104: 80 200.236.70.190: 80 192.168.0.90: 79 192.168.0.105: 78 192.168.0.123: 78 200.17.53.121: 77 200.236.70.205: 77 200.236.70.144: 77 200.236.70.153: 77 200.236.70.189: 77 200.17.53.88: 76 192.168.0.122: 76 200.17.53.87: 75 192.168.0.92: 75 200.236.70.148: 75 192.168.0.129: 75 192.168.0.120: 74 200.236.70.199: 74 200.17.53.89: 73 192.168.0.103: 73 192.168.0.106: 73 192.168.0.108: 73 200.236.70.172: 73 192.168.0.128: 73 200.17.53.94: 72 200.236.70.150: 72 192.168.0.130: 72 200.17.53.91: 71 200.17.53.96: 71 200.18.92.221: 71 192.168.0.97: 71 200.17.53.97: 70 200.236.70.181: 69 200.236.70.168: 68 192.168.0.102: 68 200.18.92.217: 67 200.13.16.8: 66 200.17.53.93: 62 200.13.16.4: 61 200.13.17.3: 61 200.236.70.212: 61 200.236.70.213: 59 192.168.0.77: 58 200.13.20.2: 55 202.230.39.34: 52 200.16.17.240: 50 200.236.70.206: 50 200.236.70.207: 50 192.168.0.101: 50 202.230.39.10: 49 202.230.39.30: 47 192.168.0.91: 46 203.237.51.56: 45 202.230.39.12: 44 202.230.39.9: 44 192.168.0.94: 42 192.168.0.93: 41 202.230.39.20: 41 202.230.39.18: 40 203.237.51.52: 40 91.0.0.102: 40 200.13.17.5: 39 203.237.51.51: 39 203.237.51.81: 39 203.64.35.203: 39 202.230.39.1: 39 203.172.22.150: 38 202.230.39.19: 38 203.237.51.48: 38 202.184.25.154: 38 202.230.39.39: 37 203.237.51.40: 37 203.237.51.236: 37 202.230.39.2: 37 202.6.254.146: 36 202.230.39.33: 36 203.237.51.46: 36 203.237.51.50: 36 203.237.51.116: 36 203.237.51.68: 35 203.237.51.13: 34 202.230.39.55: 34 203.237.51.49: 34 203.237.51.103: 34 203.237.51.76: 34 192.168.0.100: 34 202.230.39.16: 33 202.230.39.44: 33 203.237.51.11: 33 203.237.51.12: 33 203.237.51.32: 33 203.237.51.117: 33 203.237.51.67: 33 203.64.35.212: 33 203.172.11.240: 33 203.237.51.181: 33 203.237.34.1: 33 200.17.53.92: 32 200.13.19.3: 32 202.230.39.40: 32 203.64.35.100: 32 202.230.39.7: 32 203.237.51.174: 32 203.172.22.152: 31 202.230.39.49: 31 203.237.51.118: 31 203.172.11.25: 31 203.64.35.110: 31 203.64.35.205: 31 203.237.51.90: 31 203.237.51.232: 31 78.0.0.102: 30 203.237.51.14: 30 203.64.34.100: 30 203.237.51.207: 30 203.64.35.106: 30 203.237.51.188: 30 203.237.51.6: 30 203.172.22.153: 29 203.64.34.115: 29 202.230.39.86: 29 203.237.51.83: 29 203.172.11.251: 29 200.13.17.4: 28 202.230.39.32: 28 202.230.39.51: 28 202.184.25.37: 28 203.237.51.100: 28 202.184.25.67: 28 203.237.51.208: 28 203.172.11.23: 28 203.172.11.151: 28 203.172.11.152: 28 203.64.35.210: 28 203.64.35.214: 28 91.0.0.103: 28 203.172.22.154: 27 87.0.0.103: 27 202.230.39.11: 27 202.230.39.17: 27 202.230.39.42: 27 89.0.0.103: 27 202.230.39.91: 27 203.237.51.145: 27 203.64.35.207: 27 202.230.39.79: 26 203.237.51.47: 26 203.237.51.222: 26 203.64.35.200: 26 203.237.51.94: 26 203.172.11.237: 26 203.172.11.238: 26 203.64.35.215: 26 202.184.25.1: 26 203.237.51.253: 26 203.172.11.61: 26 203.172.22.151: 25 200.13.19.5: 25 203.64.36.49: 25 202.230.39.47: 25 203.237.51..27: 25 203.64.143.13: 25 202.230.39.95: 25 203.172.11.239: 25 203.237.51.233: 25 203.172.11.159: 25 203.64.35.217: 25 203.172.11.242: 25 203.172.22.155: 24 202.230.39.54: 24 202.230.39.80: 24 202.230.39.84: 24 203.64.35.108: 24 203.64.35.109: 24 203.172.11.21: 24 203.172.11.22: 24 203.64.35.206: 24 203.64.35.208: 24 79.0.0.102: 23 202.184.25.31: 23 202.230.39.85: 23 203.237.51.55: 23 203.172.11.113: 23 203.172.11.150: 23 203.172.11.235: 23 203.172.11.83: 23 87.0.0.102: 22 202.184.36.254: 22 200.13.19.4: 22 202.230.39.70: 22 202.230.39.74: 22 202.230.39.88: 22 203.64.35.101: 22 200.13.20.3: 22 203.64.35.209: 22 202.184.25.155: 22 203.64.35.216: 22 203.172.11.249: 22 203.172.11.253: 22 203.64.34.12: 21 200.13.19.2: 21 200.13.20.4: 21 203.64.35.201: 21 203.64.35.204: 21 203.172.11.236: 21 202.184.17.125: 21 203.172.11.87: 21 203.64.34.86: 20 203.172.11.7: 20 202.184.25.27: 20 203.172.11.228: 20 203.64.35.218: 20 202.184.22.56: 19 202.230.39.93: 19 203.172.11.26: 19 203.64.35.213: 19 202.252.59.194: 18 202.230.39.78: 18 202.184.25.156: 18 203.172.11.192: 18 203.172.11.94: 18 202.184.25.36: 17 202.184.25.39: 17 202.184.25.112: 17 202.184.25.73: 17 202.184.25.94: 17 203.64.35.211: 17 203.64.35.219: 17 202.230.39.6: 17 202.184.21.80: 16 202.184.25.43: 16 202.184.25.102: 16 202.184.25.76: 16 202.184.25.158: 16 202.230.39.72: 15 202.184.25.53: 15 203.172.11.24: 15 202.184.25.153: 15 202.184.25.40: 14 202.184.25.58: 14 202.184.25.62: 14 202.184.25.77: 13 202.184.25.90: 13 202.184.21.55: 12 202.184.22.49: 12 202.184.21.79: 12 202.184.25.25: 12 202.184.25.57: 12 202.184.25.100: 12 202.184.25.114: 12 202.184.25.80: 12 202.184.25.81: 12 202.184.25.97: 12 202.184.22.28: 11 202.184.22.47: 11 202.184.22.52: 11 202.184.21.83: 11 202.184.22.73: 11 202.184.25.105: 11 202.184.22.1: 11 202.184.25.68: 11 202.184.25.110: 11 202.184.25.111: 11 202.184.25.71: 11 202.184.17.58: 11 202.184.25.213: 11 202.184.17.237: 11 202.184.22.18: 10 202.184.22.59: 10 202.184.25.47: 10 202.184.25.108: 10 202.184.25.66: 10 202.184.22.15: 9 202.184.21.44: 9 202.184.21.50: 9 202.184.21.60: 9 202.184.22.38: 9 202.184.21.74: 9 202.184.17.13: 9 202.184.25.33: 9 202.184.25.49: 9 202.184.17.30: 9 202.184.25.56: 9 202.184.25.103: 9 202.184.25.109: 9 202.184.17.63: 9 202.184.25.98: 9 202.184.22.43: 8 202.184.22.46: 8 202.184.22.69: 8 202.184.22.70: 8 202.184.17.22: 8 203.64.34.113: 8 202.184.17.53: 8 202.184.25.75: 8 202.184.17.124: 8 202.184.21.19: 7 202.184.21.39: 7 202.184.21.42: 7 202.184.22.20: 7 202.184.22.21: 7 202.184.22.23: 7 202.184.21.56: 7 202.184.21.66: 7 202.184.21.68: 7 202.184.22.40: 7 202.184.21.73: 7 202.184.21.77: 7 202.184.22..50: 7 202.184.22.58: 7 202.184.17.14: 7 202.184.25.55: 7 202.184.17.68: 7 202.184.25.93: 7 202.184.17.2: 7 202.184.17.4: 7 202.184.21.12: 6 202.184.21.26: 6 202.184.22.11: 6 202.184.21.41: 6 202.184.22.25: 6 202.184.22.44: 6 202.184.21.81: 6 202.184.21.87: 6 202.184.22.62: 6 202.184.22.63: 6 202.184.22.74: 6 202.184.22.88: 6 209.212.128.32: 6 202.184.17.27: 6 202.184.21.1: 6 202.184.25.51: 6 202.184.17.42: 6 202.184.17.49: 6 202.184.25.96: 6 202.184.17.82: 6 202.184.17.1: 6 202.184.17.233: 6 202.184.17.181: 6 202.184.21.22: 5 202.184.21.48: 5 202.184.21.49: 5 202.184.21.53: 5 202.184.21.57: 5 202.184.21.59: 5 202.184.22.36: 5 202.184.22.41: 5 202.184.21.76: 5 202.184.21.82: 5 202.184.21.89: 5 202.184.22.60: 5 202.252.30.45: 5 202.184.17.17: 5 202.184.17.35: 5 202.184.25.107: 5 202.184.17.47: 5 202.184.17.48: 5 202.184.17.67: 5 202.184.17.148: 5 202.184.17.235: 5 202.252.30.3: 5 202.184.21.13: 4 202.184.21.24: 4 202.184.21.114: 4 202.184.22.19: 4 202.184.22.24: 4 202.184.22.26: 4 202.184.21.61: 4 202.184.21.64: 4 202.184.22.37: 4 202.252.30.129: 4 202.184.22.55: 4 202.184.22.64: 4 202.184.22.65: 4 202.184.22.66: 4 202.252.30.36: 4 202.252.30.37: 4 202.252.30.48: 4 202.184.25.21: 4 202.184.17.33: 4 202.184.25.106: 4 202.184.17.52: 4 202.184.17.111: 4 202.184.17.83: 4 202.184.17.239: 4 202.184.17.242: 4 202.184.17.252: 4 202.184.21.27: 3 202.184.21.40: 3 202.184.22.22: 3 202.184.21.58: 3 202.184.22.108: 3 202.252.30.114: 3 202.184.22.42: 3 202.184.21.72: 3 202.184.21.78: 3 202.184.22.204: 3 202.252.30.131: 3 202.252.30.135: 3 202.252.30.35: 3 202.252.30.38: 3 202.252.30.162: 3 202.252.30.169: 3 202.252.30.40: 3 202.252.30.43: 3 202.184.23.62: 3 202.252.30.181: 3 202.252.30.68: 3 202.184.22.197: 3 202.184.17.15: 3 202.184.17.20: 3 202.184.17.28: 3 202.252.30.97: 3 202.252.30.99: 3 202.184.22.2: 3 202.184.17.71: 3 202.184.17.129: 3 202.184.17.229: 3 202.184.17.238: 3 202.252.30.4: 3 202.252.30.5: 3 202.184.21.14: 2 202.184.21.16: 2 202.184.21.17: 2 202.184.21.18: 2 202.184.21.25: 2 202.252.30.102: 2 202.252.30.103: 2 202.252.30.105: 2 202.252.30.106: 2 202.184.21.62: 2 202.184.22.39: 2 202.184.21.67: 2 202.252.30.117: 2 202.184.22.48: 2 202.184.22.207: 2 202.252.30.136: 2 202.184.22.215: 2 202.252.30.39: 2 202.252.30.161: 2 202.252.30.165: 2 202.252.30.166: 2 202.252.30.167: 2 202.252.30.168: 2 203.108.71.1: 2 202.252.30.180: 2 202.252.30.182: 2 202.252.30.67: 2 202.184.17.18: 2 202.184.17.32: 2 202.252.30.2: 2 202.184.21.20: 1 202.252.30.101: 1 202.184.22.30: 1 202.184.22.32: 1 202.252.30.113: 1 202.184.22.51: 1 202.252.30.132: 1 202.252.30.133: 1 202.252.30.163: 1 202.252.30.164: 1 202.252.30.41: 1 202.252.30.42: 1 202.252.30.47: 1 202.252.30.170: 1 202.252.30.66: 1 202.252.30.69: 1 202.252.30.98: 1

----don't waste your cpu, crack rc5...www.distributed.net team enzo--- Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | nestea'd...whatever it takes Florida Digital Turnpike | to get the job done. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key________

Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)