North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Huge smurf attack
On Sat, 9 Jan 1999, Phil Howard wrote: > Brandon Ross wrote: > > > ftp://ftp.mindspring.net/users/bross/smurfsources > > I find it slightly interesting that some private addresses were in the > list. There were some addresses in 10/8, 172.16/12, and 192.168/16. > Thus the source of the attack must have had some addresses in these > private network ranges reachable somehow, either internally in the > network the attacker(s) originate, or routes leaking onto the internet. > If the former, that would mean they had the capacity from that internal > network to carry the forged echo requests as well as those private > sourced echo replies. I find it even more interesting how often I see 10.177.180.0/24 showing up in smurf logs. Is there some equipment that defaults to this network, some manual that uses this as an example, or is there a specific LAN that gets hit on every major smurf attack? If it's really one network, you would think we could find and provide clue to the operator(s). Jeremiah
|