Jeremiah Kristal wrote:
I find it even more interesting how often I see 10.177.180.0/24 showing up in smurf logs. Is there some equipment that defaults to this network, some manual that uses this as an example, or is there a specific LAN that gets hit on every major smurf attack? If it's really one network, you would think we could find and provide clue to the operator(s).
It could be leaking to the Internet in _some_ places (but it isn't here). It might be internal to the attacker's network, in which case the attacker is using his bandwidth to wage the attack. It might be internal to the ISP of the attacker, in which case he's just using his ISP's bandwidth (the attacker could still wage this from an analog dialup). It could be remotely possible that it is internal to mindspring, but for that to be, that network would have to be announced from mindspring (highly doubtful) and get to the attacker's network (highly doubtful), or maybe the attacker is actually a mindspring customer (echo requests go out, massive replies come back) but this would make it way to easy to track down and mindspring surely has filters on their dialups to block spoofing. One other possible cause is that the attacker is spoofing those replies as a secret signature. All outgoing packets from my network are denied unless their source is one of my netblocks. Obviously the attacker is using someone who will not or cannot do that. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --