On Mon, 11 Jan 1999, Phil Howard wrote:
Jeremiah Kristal wrote:
I find it even more interesting how often I see 10.177.180.0/24 showing up in smurf logs.
It could be leaking to the Internet in _some_ places (but it isn't here). It might be internal to the attacker's network, in which case the attacker is using his bandwidth to wage the attack. It might be internal to the ISP of the attacker, in which case he's just using his ISP's bandwidth (the attacker could still wage this from an analog dialup).
Those are all possible, but...
It could be remotely possible that it is internal to mindspring, but for that to be, that network would have to be announced from mindspring (highly doubtful) and get to the attacker's network (highly doubtful), or maybe the attacker is actually a mindspring customer (echo requests go out, massive replies come back) but this would make it way to easy to track down and mindspring surely has filters on their dialups to block spoofing.
Actually we aren't currently using the 10/8 network at all, so that's not it.
One other possible cause is that the attacker is spoofing those replies as a secret signature.
That's possible too, however the most likely explanation is that there is an amplifying network out there somewhere that has this 10.177.180.0/24 network on the same Ethernet segment as some other, publicly accessible network. Remember that when a directed broadcast is sent to an Ethernet (assuming that directed broadcast is turned on in the router) that the NIC will convert it to a MAC broadcast. Most (all?) OS's don't actually check to see if the destination IP address is actually the broadcast of the subnet that they are on, they just respond. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.