Re: SMURF amplifier block list
In article <Pine.BSI.3.93.980412085359.7879a-100000@sidhe.memra.com>, Michael Dillon <michael@memra.com> wrote:
If Karl will supply us the IP address of a non-critical machine in his network then we only need one list maintained. Anyone can then add new networks to Karl's list simply by smurfing his non-critical machine and it will still meet his criteria of a verified atack.
Careful. I could, from a well-connected machine, launch a stream of forged ICMP echo replies from various 199.166.227.x addresses. This would cause it to look like junction.net was the source of a smurf, and cause them to be blocked. Well, in the case of junction.net, there is no such forgery needed. ~$ host www.memra.com www.memra.com A 199.166.227.56 ~$ ping 199.166.227.255 PING 199.166.227.255 (199.166.227.255): 56 data bytes 64 bytes from 134.87.109.226: icmp_seq=0 ttl=243 time=110.2 ms 64 bytes from 199.166.227.41: icmp_seq=0 ttl=51 time=111.0 ms (DUP!) 64 bytes from 199.166.227.32: icmp_seq=0 ttl=242 time=112.2 ms (DUP!) 64 bytes from 199.166.227.54: icmp_seq=0 ttl=51 time=112.8 ms (DUP!) 64 bytes from 199.166.227.5: icmp_seq=0 ttl=51 time=113.7 ms (DUP!) 64 bytes from 199.166.227.27: icmp_seq=0 ttl=51 time=114.3 ms (DUP!) 64 bytes from 199.166.227.22: icmp_seq=0 ttl=51 time=115.0 ms (DUP!) 64 bytes from 199.166.227.1: icmp_seq=0 ttl=51 time=115.7 ms (DUP!) 64 bytes from 199.166.227.12: icmp_seq=0 ttl=242 time=116.4 ms (DUP!) 64 bytes from 199.166.227.19: icmp_seq=0 ttl=51 time=117.0 ms (DUP!) 64 bytes from 199.166.227.21: icmp_seq=0 ttl=242 time=117.7 ms (DUP!) 64 bytes from 199.166.227.28: icmp_seq=0 ttl=51 time=118.3 ms (DUP!) 64 bytes from 199.166.227.26: icmp_seq=0 ttl=242 time=119.0 ms (DUP!) --- 199.166.227.255 ping statistics --- 1 packets transmitted, 1 packets received, +12 duplicates, 0% packet loss round-trip min/avg/max = 110.2/114.8/119.0 ms -- Shields, CrossLink.
On 13 Apr 1998, Michael Shields wrote:
Well, in the case of junction.net, there is no such forgery needed.
~$ host www.memra.com www.memra.com A 199.166.227.56
I have just fired off a message to my ISP pointing him to the instructions for "no ip directed broadcast" so it will hopefully be fixed soon. And I'm Cc'ing his upstream provider who probably never thought of testing all the ?.?.?.255 addresses in their network and contacting their downstream customers to get directed broadcast turned off. For them I'm including the URLs http://www.quadrunner.com/~chuegen/smurf.cgi ftp://ftp.isi.edu/in-notes/rfc2267.txt I sure would hate to get cut off from sending mail to Karl. ;-) -- Michael Dillon - Internet & ISP Consulting http://www.memra.com - E-mail: michael@memra.com
Thank you for the heads-up. The problem has now been fixed on our netowrk. On Mon, 13 Apr 1998, Michael Dillon wrote:
On 13 Apr 1998, Michael Shields wrote:
Well, in the case of junction.net, there is no such forgery needed.
~$ host www.memra.com www.memra.com A 199.166.227.56
I have just fired off a message to my ISP pointing him to the instructions for "no ip directed broadcast" so it will hopefully be fixed soon.
And I'm Cc'ing his upstream provider who probably never thought of testing all the ?.?.?.255 addresses in their network and contacting their downstream customers to get directed broadcast turned off. For them I'm including the URLs
http://www.quadrunner.com/~chuegen/smurf.cgi ftp://ftp.isi.edu/in-notes/rfc2267.txt
I sure would hate to get cut off from sending mail to Karl. ;-)
-- Michael Dillon - Internet & ISP Consulting http://www.memra.com - E-mail: michael@memra.com
___ __ __ __ _ _ _ _ |_ _|__ _ _ _ | \/ / _| | __ _ _ _ __ _| |_ | (_)_ _ Okanagan | |/ _` | ' \ | |\/| \__| |_/ _` | | / _` | ' \| | | ' \ Internet |___\__,_|_||_| |_| |_| |___\__,_|___\__, |_||_|_|_|_||_| Junction Network Operations Centre |___/ Phone +1 (888) 944-INET
Was all this email really necessary? Karl gave us a list of people he knows have yet to deny directed broadcast. Somebody wanted Paul and the RBL team to pick up the list and run it via bgp to people interested as they felt a public broadcast of Karls list was inflaming the problem. Paul said "Aint got the time" about 25 messages ago. No one has vollunteered to run a similar project. Either offer your own time or stop wasting everyone elses. The real solution to this is far to simple, please turn off directed broadcast on your network and point anyone who hasn't in the right direction. -- Jason Weisberger Chief of Network Operations SoftAware, Inc. - 310/305-0275 "You may be whatever you resolve to be." -Thomas Jonathan "Stonewall" Jackson
On Mon, Apr 13, 1998 at 12:33:00PM -0700, Randy Bush wrote:
Either offer your own time or stop wasting everyone elses.
Huh? This is NANOG, where we tell everybody else what THEY should do. Case in point. :-)
<evil grin> See, everybody? Randy's right occasionally. </evil grin> Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com
participants (6)
-
Ian McLaughlin
-
Jason L. Weisberger
-
Jay R. Ashworth
-
Michael Dillon
-
Randy Bush
-
shields@crosslink.net