|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [nsp] known networks for broadcast ping attacks
Alex Bligh writes: }Urm, 192.41.177.255 is the MAE-East LAN ?! Are you saying attacks are }being mounted from here or people are attacking this LAN (not }sure which is more worrying) If I'm interpreting the code comments correctly, what this silly "smurf" thing does is take a victim's IP address and generate an ICMP_ECHO_REQUEST with the victim's IP address as the source and an IP address from the array as the destination, and generate lots of such packets (per each destination). That way, the victim supposedly receives lots of ICMP_ECHO_REPLY packets - moreso than from, say, the 28.8kbps dialup line from which the attack is taking place. So basically this is just a simple DoS attack on bandwidth, supposedly multiplied by the fact that it uses broadcast addresses as the "proxy" attacker rather than unicast addresses. However, I don't know about everyone else, but my routers respond to such attempted directed-broadcast pings from their own unicast address, so it really isn't multiplying anything. And furthermore, if more people implemented source address filtering, it would be less of a problem - if it really is a problem at all. (And to answer the proverbial "how do I configure my router for that" in advance, the answer is that, at least on my boxes, the not-allowing- broadcast-pings-through-as-broadcasts-onto-the-target-media thing is on by default. Source address filtering, however, is not.) Jeff -- Jeffrey S. Curtis | Internetwork Manager Argonne National Laboratory | Email: [email protected] 9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789 Argonne, IL 60439 | Fax: 630/252-9689
|