North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Huge smurf attack

  • From: Jeremiah Kristal
  • Date: Mon Jan 11 10:39:26 1999

On Sat, 9 Jan 1999, Phil Howard wrote:

> Brandon Ross wrote:
> >
> I find it slightly interesting that some private addresses were in the
> list.  There were some addresses in 10/8, 172.16/12, and 192.168/16.
> Thus the source of the attack must have had some addresses in these
> private network ranges reachable somehow, either internally in the
> network the attacker(s) originate, or routes leaking onto the internet.
> If the former, that would mean they had the capacity from that internal
> network to carry the forged echo requests as well as those private
> sourced echo replies.

I find it even more interesting how often I see showing up
in smurf logs.  Is there some equipment that defaults to this network,
some manual that uses this as an example, or is there a specific LAN that
gets hit on every major smurf attack?  If it's really one network, you
would think we could find and provide clue to the operator(s).