North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [nsp] known networks for broadcast ping attacks

  • From: Jon Lewis
  • Date: Tue Aug 12 17:46:11 1997

On Tue, 12 Aug 1997, Dennis Simpson wrote:

> > Here's a sorted list of the networks used to attack FDT (pulled from my
> > 1.5mb of tcpdump data which was just a brief sample of the data from our
> > attack Sunday.  If any of them belong to you, shame on you.
> >
> > 207.107.244
> You are being hit through Sprint Canada. Four /30's from this class c
> are the addresses assigned to the 4 T1's we have with Sprint Canada.
> What specific addresses on this net hit you? We do source address
> filtering, and do not permit packets to leave our net which do not
> have source addresses on our nets.

18:56:12.866177 > icmp: echo reply (ttl 248,
id 3392)
18:56:21.976177 > icmp: echo reply (ttl 248,
id 6747)

Source filtering is not the issue.  The issue is that someone pinged the
broadcast address on these networks using a forged source address, and
then all the hosts on the pinged networks respond to the forged source
address, burrying it in icmp echo replies.  It would be nice if everyone
blocked broadcast pings from entering their networks.  It would be nicer
if these idiots found more constructive things to do with their time.

 Jon Lewis <[email protected]>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______ for PGP public key____