At 12:50 PM 12/22/97 -0500, you wrote:
Has anyone seen an increase of broadcast pings, where the source route appears to be from a nameserver?
We took a look through our access-list logs, and it seems all of the attempted attacks during the last few days have had an IP-source of a nameserver.
Just thought it was curious.
Best regards,
Jamie Scheinblum - FASTNET(tm) / You Tools Corporation jamie@fast.net (610)954-5200 http://www.fast.net/ FASTNET - Business and Personal Internet Solutions
Jamie, It is probably just someone 'smurfing', where they fudge the source ip of the broadcast ping request. The actual source of the ICMP request is probably entirely different than the nameserver you are seeing in your logs....hence the difficulty(although not impossible) tracking these attacks. I would imagine that this poor nameserver in question is also suffering from the attack as well when all the pinged devices attempt to respond. You probably have one or more folks using the same dummy address for the source. This is the nature of the 'smurf' problem. Check out: http://www.quadrunner.com/~chuegen/smurf.cgi This is a co-worker of mine that has put together some useful background and tips addressing this issue. Hope that helps. al