Hi, Not sure I follow. schnell.ebone.net is actually an interface of Sprint icm-bb1-pen which connects to a FDDI ring in Pennsauken built for multicast. The name/address (schnell.ebone.net) is there for historial reasons and should be changed to something-else.icp.net. As for directed broadcast it is long since turned off on all EBONE routers. --BC
Ok, here's some more stuff on the directed broadcast out of the Sprint NAP in Pennsauken, NJ.
1) Directed broadcasts weren't disabled at the Spokane, WA router and whoever was doing this attack was aware of that fact. I managed to disable it and write that change to memory.
If you decided to check that router anytime soon (spn-brdr-01) check the counters on the Fddi1/1/0 interface that links to the Pennsauken NAP. You'll see that 99% of the traffic coming through are directed broadcasts.
2) If you decided to restore the configuration on that router, I suggest you go back in and disable directed broadcasts on the Ebone interface (Fddi1/1/0) because it wasn't disabled when I initally logged in and the directed broadcast still appears to be active (4:28pm EST, February 10, 1999).
traceroute to schnell.ebone.net (192.36.137.1): 1-30 hops, 38 byte packets 1 vdi-dialup.vdi.net (209.201.95.2) [AS3951 - NETBLK-ICON-NET5] 109 ms 130 ms 110 ms 2 router.vdi.net (209.3.31.1) [AS3951 - NETBLK-ICON-NET4] 110 ms 130 ms 120 ms 3 Hssi3-0-0.border2.teb1.IConNet.NET (209.3.187.253) [AS3951 - NETBLK-ICON-NET4] 120 ms 139 ms 120 ms 4 POS10-0-0.core1.teb1.IConNet.NET (204.245.71.201) [AS3951 - ICon CMT Corp.] 120 ms 149 ms 120 ms 5 205.171.4.217 (205.171.4.217) [AS3909 - Colorado Supernet, Inc.] 119 ms 149 ms 120 ms 6 205.171.4.134 (205.171.4.134) [AS3909 - Colorado Supernet, Inc.] 140 ms 158 ms 120 ms 7 schnell.ebone.net (192.36.137.1) 230 ms (ttl=244!) 259 ms (ttl=244!) *
Notice the latency jump at the last hop, five other traceroutes showed similar data.
3) Check the NYC core router (nyc-core-01) and look at the Teleglobe and Spokane interfaces, earlier that day, there was approximately 75mbps coming in on the Teleglobe interface (POS0/0) and the same amount being output to the Spokane-bound interface.
4) I shutdown the Sprint interface (Fddi2/1/0) on the Spokane border router for about 30 seconds, and there was approximately a 5mbps decrease in the directed broadcasts coming from Ebone at the Pennsauken NAP.
5) I then shutdown the Ebone interface (Fddi1/1/0) on the Spokane border router for about 30 seconds, and there was approximately a 10mbps decrease in the outgoing traffic of the Sprint interface (Fddi2/1/0).
6) The interface statistics on the Sprint interface (Fddi2/1/0) showed there were some broadcasts being sent, but not as numerous as the Ebone the interface, I would advise you check the other side of that interface for abnormal activity.
7) If you normally keep track of all your customers' bandwidth utilization, look for excessive peaks in the incoming and outgoing paths along with for anything that has jumped excessively in the past three days.
Omachonu Ogali Intranova Networking Group