|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Broadcast pings.
At 04:04 PM 12/22/97 -0500, you wrote: >Yeah that was my initial thought, but we've been hit now from multiple >nameservers (and constantly machines that are named "ns" or appear in a >'nic record). I just found it odd that we're only getting hit from >machines matching this pattern. I guess it was random, but you never >know :-) > hmm, don't know. But it may be that a casual hacker that has recently jumped on the smurf bandwagon may be using ns addresses as they are so readily available. I have often been surprised at the lack of real knowledge some of the perpetrators have had in some of these cases. They just get the code, plug in some easy data(like their ISPs ns) and away they go. Fortunately for us, many of these folks don't know how to choose large enough networks to ping, so we often come out OK. Or maybe 'someone' just discovered nslookup =) and decided to use that data. Who knows though.... it is certainly hard to tell sometimes. al >Best regards, > >Jamie Scheinblum - FASTNET(tm) / You Tools Corporation >[email protected] (610)954-5200 http://www.fast.net/ >FASTNET - Business and Personal Internet Solutions > >> -----Original Message----- >> From: Al Roethlisberger [SMTP:[email protected]] >> Sent: Monday, December 22, 1997 3:23 PM >> To: Jamie Scheinblum >> Cc: [email protected] >> Subject: Re: Broadcast pings. >> >> At 12:50 PM 12/22/97 -0500, you wrote: >> >Has anyone seen an increase of broadcast pings, where the source >> route >> >appears to be from a nameserver? >> > >> >We took a look through our access-list logs, and it seems all of the >> >attempted attacks during the last few days have had an IP-source of a >> >nameserver. >> > >> >Just thought it was curious. >> > >> >Best regards, >> > >> >Jamie Scheinblum - FASTNET(tm) / You Tools Corporation >> >[email protected] (610)954-5200 http://www.fast.net/ >> >FASTNET - Business and Personal Internet Solutions >> > >> >> >> Jamie, >> >> It is probably just someone 'smurfing', where they fudge the source ip >> of >> the broadcast ping request. The actual source of the ICMP request is >> probably entirely different than the nameserver you are seeing in your >> logs....hence the difficulty(although not impossible) tracking these >> attacks. >> >> I would imagine that this poor nameserver in question is also >> suffering from >> the attack as well when all the pinged devices attempt to respond. >> You >> probably have one or more folks using the same dummy address for the >> source. >> This is the nature of the 'smurf' problem. >> >> Check out: >> >> http://www.quadrunner.com/~chuegen/smurf.cgi >> >> This is a co-worker of mine that has put together some useful >> background and >> tips addressing this issue. >> >> Hope that helps. >> >> al >> > >
|