I had a customers link go down because they were the target of a smurf attack a few weeks ago, and when I was sniffing the link to find out what was going on, I found tons of packets coming from root nameservers, .gov sites, and other places. If I hadn't been at a terminal, I'd have done a better job of logging them when it happened. As it stands, I just turned off ICMP into my routers for a few hours and all was well. What I would have given to have had a dedicated sniffer so I could have done a better job of logging. Regards, Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services Fortune for the day: "Speak softly and carry a +6 two-handed sword." On Mon, 22 Dec 1997, Jamie Scheinblum wrote:
Has anyone seen an increase of broadcast pings, where the source route appears to be from a nameserver?
We took a look through our access-list logs, and it seems all of the attempted attacks during the last few days have had an IP-source of a nameserver.
Just thought it was curious.
Best regards,
Jamie Scheinblum - FASTNET(tm) / You Tools Corporation jamie@fast.net (610)954-5200 http://www.fast.net/ FASTNET - Business and Personal Internet Solutions