About last smurf floods - additional info
I am not sure if it's just those SMURF attack someone write about yesterday, but in accordance to my information: - there was 3 or 4 SMURF attacks againts .PSU.EDU servers. May be, some of them was forwarded to DAL.NET because it's IRC server and all (ALL) this attacks was done to show _I am very BIG and you are NOTHING_ in IRC conversation, or _I have 10 shells in XXX.GOV and you have not_ or _My shells are better than yours_. - the server engr-mis-01.cedcc.psu.edu was broken and abused by the hacker. Through it's suspection only. - the hackers have used some accounts in NASA to provide SMURF. Unfortunately, I can't contact anyone from NASA in a few weeks and if someone can give me contact e-mail it'll be appresiated. Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
On Wed, 25 Nov 1998, Alex P. Rudnev wrote:
- there was 3 or 4 SMURF attacks againts .PSU.EDU servers. May be, some of them was forwarded to DAL.NET because it's IRC server and all (ALL) this attacks was done to show _I am very BIG and you are NOTHING_ in IRC conversation, or _I have 10 shells in XXX.GOV and you have not_ or _My shells are better than yours_.
A lot of these people have already gone back to SYN flooding from spoofed random IPs. Kills the CPU in your router in notime. Less bandwidth is wasted though, 10-20 mbit is usually enough for them to get results. They cannot amplify it though, always something... What really should be fixed is not the smurf relays, but prohibit people from spoofing packets. Most DoS rely on your ability to send packets with a sender adress that doesnt belong on your local network. If this could be stopped we would see much less attacks and the attacks would be easier to trace. ----- Mikael Abrahamsson email: swmike@swm.pp.se
A lot of these people have already gone back to SYN flooding from spoofed random IPs. Kills the CPU in your router in notime. Less bandwidth is wasted though, 10-20 mbit is usually enough for them to get results. They cannot amplify it though, always something... But the reasons they are doing this are the same - _revenge_ -:).
You are not right, everything should be done - clearing trojans from your servers, filtering frauded SRC addresses (most important issue), decreasing SMURF amplifyers, lawsuits agains the hackers. It's amazing, but we have not ANY official complain from foreign countries (foreign companies) through I have asked such complain any time I'v write about the broken system/network. Btw, your .se domain was popular among the russion hackers too, just as '.no'; I suspect a few scientific networks was sniffered there.
What really should be fixed is not the smurf relays, but prohibit people from spoofing packets. Most DoS rely on your ability to send packets with a sender adress that doesnt belong on your local network. If this could be stopped we would see much less attacks and the attacks would be easier to trace.
Ok. Try NASA to do this -:), I could not... I am not sure they are used for the such attacks but I have no doubts about _there is a lot of accounts in NASA well known for the young boys.girls here who use this accounts for the different IP games_ -:). Good luck, they did not push down satellite yet -:). /I do not blame them, I use them as the good example of very big company whose resources are suspected to be abused for this purposes and who wahe not proper contact persons to investigate this accidents/.
----- Mikael Abrahamsson email: swmike@swm.pp.se
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
participants (2)
-
Alex P. Rudnev
-
Mikael Abrahamsson