Jeremiah Kristal wrote:
I agree that clueful operators filter RFC1918 addresses at their borders and that they do not accept advertisements for RFC1918 space, however, there is a specific network (10.177.180/24) that appears again and again in smurf logs. I find it rather interesting that with 65k available /24s in the 10/8 space, one specific /24 pops up much more often than any other. Granted it's not that large an amplifier, but it seems odd that even an RFC1918 network would be used as an amplifier for this long without someone finding and securing it.
My biggest suspicion is that the clueless script kiddie(s) involved did a scan for amplifiers w/o regard to RFC1918 (the number of addresses in RFC1918 is a mere 0.476% of the whole possible range), and never filtered them out. They perhaps did make the attack slightly worse than w/o, so maybe leaving them in was intended. Now if we can identify who has 10.177.180/24 internally, we could be getting somewhere. One thing that could be useful when reducing attack sniff data to a list of addresses is to produce a frequency of occurrence for each address. There may be wide ranges in the frequencies. If 10.177.180/24 shows up very rarely compared to the rest, that could indicate that the attack is originating on a relatively low speed network with 10.177.180/24 being behind that network. OTOH, if it is about the same, then the bandwidth for that network would be relatively high. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --