Aaaarrrggghhh! I have been under attack since 2:30AM HKT and it only stopped just now. I am quite familiar with smurfs. As a matter of fact, I have turned off directed broadcast on every Cisco router I have. Constantly I am reminding my clients to do the same thing. It is sad that some people out there arent doing their part. But what bothers me the most is this most recent attack. Smurfs are ICMPs right? Well based on the logs I got, I was receiving all sorts of packets from "non-routable" addresses. This floored my International Private Line to MCI. I dont think they are smurfs because they do not belong to the same network. The protocols vary too, udp, icmp and tcp. Even the ports change. In other words, nothing is common except that they all pass thru the same gateway to our network. Being an ISP outside the US, bandwidth is very scarce and thus expensive from where I come from. I am filtering these packets so they never reach my clients. But still, the evil payload is dropped on my doorstep and it still consumes my precious bandwidth. Shouldnt MCI, or any other provider be filtering this on their borders? And if they are, there shouldn't be any packets of this variety running around their links, right? So how do these little blasted packets end up running around the internet? I am going to be very grateful if some kind souls can help point me to documentation on how to track these down and possible effectively prevent it from eating my line. Thanks! --- Gary Mensenares IPhil Communications Network Incorporated
At 05:27 PM 4/18/98 +0800, Gary R. Mensenares wrote:
I am going to be very grateful if some kind souls can help point me to documentation on how to track these down and possible effectively prevent it from eating my line.
Start here: http://www.quadrunner.com/~chuegen/smurf.txt - paul
Sounds like that new nestea multi-protocol nuke Gary R. Mensenares wrote:
Aaaarrrggghhh! I have been under attack since 2:30AM HKT and it only stopped just now.
I am quite familiar with smurfs. As a matter of fact, I have turned off directed broadcast on every Cisco router I have. Constantly I am reminding my clients to do the same thing. It is sad that some people out there arent doing their part.
But what bothers me the most is this most recent attack. Smurfs are ICMPs right? Well based on the logs I got, I was receiving all sorts of packets from "non-routable" addresses. This floored my International Private Line to MCI. I dont think they are smurfs because they do not belong to the same network. The protocols vary too, udp, icmp and tcp. Even the ports change. In other words, nothing is common except that they all pass thru the same gateway to our network.
Being an ISP outside the US, bandwidth is very scarce and thus expensive from where I come from. I am filtering these packets so they never reach my clients. But still, the evil payload is dropped on my doorstep and it still consumes my precious bandwidth. Shouldnt MCI, or any other provider be filtering this on their borders? And if they are, there shouldn't be any packets of this variety running around their links, right? So how do these little blasted packets end up running around the internet?
I am going to be very grateful if some kind souls can help point me to documentation on how to track these down and possible effectively prevent it from eating my line.
Thanks!
--- Gary Mensenares IPhil Communications Network Incorporated
-- ¢4i1å
participants (3)
-
Gary R. Mensenares
-
Henry Linneweh
-
Paul Ferguson