Yep its all a bit weird, I guess people are not too knowledgeable about it. For starters the original explit wont work very well out of the box for most script kiddies (random source addresses -> killed by anti-spoofing), and a single packet to a vulnerable box isnt enough (need to fill the queue slots). More of an annoyance really - most of the outages as a result are going to be from people upgrading boxes, not victims of attack. BB
-----Original Message----- From: jlewis@lewis.org [mailto:jlewis@lewis.org]
On Fri, 18 Jul 2003, Ben Buxton wrote:
It's released and it works - I have verified it in a lab here.
And others are trying it in the field now. I setup the recommended transit ACLs yesterday. Starting at 9:25am EDT this morning, those ACLs started getting hits. What doesn't make sense to me is according to the advisory, the packets have to be destined for the router to crash it (not just passed through it), but people are attacking seemingly random IPs, including ones in a new ARIN block that have not yet been assigned/used for anything. What do they think they're attacking?
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________