North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical [no subject]
John Fraizer wrote: >The thing that makes it "interesting" is the fact that most implementations >DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in >the neighborhood of 1.7Mb before they routed the netblock in question to a >loopback interface on the 7507. The attacker was sending less that 300Kb >of traffic and consuming 2Mb. Any idea where that much amplification is coming from? For smurf with an echo request to a broadcast, its easy to see why there is so much amplification. But for a TCP or UDP packet to port 0, wouldn't just one port unreachable be sent back to the (spoofed) source? Or is it a broadcast TCP or UDP packet to port 0 ??? Thanks, Sean Butler, IBM Global Services
|