-----Original Message----- From: Karl Denninger <karl@mcs.net> To: Vern Paxson <vern@ee.lbl.gov> Cc: Andrew Herdman <andrew@whine.com>; nanog@merit.net <nanog@merit.net> Date: Friday, June 19, 1998 9:37 AM Subject: Re: Smurf Amp Nets
On Thu, Jun 18, 1998 at 10:16:38PM -0700, Vern Paxson wrote:
0.0.0.0 10.0.4.0 127.0.0.0 255.255.255.0
These are pretty cool, I must say. Exactly how does the smurf attacker route their echo requests to them?
Vern
They are straight forged packet flows.
Nah those are machines on the relay being used sending those replies. Sometimes from machines given those ips and sometimes from misconfigured networks. I used to have one that would reply 500 times from 10.0.0.1. Just because the broadcast being used is 1.2.3.255 does not mean you will only get packets from 1.2.3.x, and conversely because you receive pings from 1.2.3.x and 1.2.4.x and 1.2.5.x does not necessarily mean there are 3 broadcasts being used. It could easily be only on 1.2.3.255 or even 1.2.69.255 for all you know (and I've seen strange cases of each). This is a complication when you are getting your bcasts from logs of a smurf attack because you never really know where those 10.0.0.0/8's come from, and a complication when you are getting your bcasts from a network scan because you sometimes see huge arrays of broadcasts that are actually just the same hosts being repeated on different broadcasts (ex: you just found 1.2.3.255 - 1.2.203.255 all have 200 dupes each, but closer examination reveals every broadcast returns replies from the same host). Fortunately these problems are even more annoying to the smurf kiddies where it is important to have an accurate estimation of the damage that will be inflicted.