North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Huge smurf attack
Jeremiah Kristal wrote: > I agree that clueful operators filter RFC1918 addresses at their borders > and that they do not accept advertisements for RFC1918 space, however, > there is a specific network (10.177.180/24) that appears again and again > in smurf logs. I find it rather interesting that with 65k available /24s > in the 10/8 space, one specific /24 pops up much more often than any > other. Granted it's not that large an amplifier, but it seems odd that > even an RFC1918 network would be used as an amplifier for this long > without someone finding and securing it. My biggest suspicion is that the clueless script kiddie(s) involved did a scan for amplifiers w/o regard to RFC1918 (the number of addresses in RFC1918 is a mere 0.476% of the whole possible range), and never filtered them out. They perhaps did make the attack slightly worse than w/o, so maybe leaving them in was intended. Now if we can identify who has 10.177.180/24 internally, we could be getting somewhere. One thing that could be useful when reducing attack sniff data to a list of addresses is to produce a frequency of occurrence for each address. There may be wide ranges in the frequencies. If 10.177.180/24 shows up very rarely compared to the rest, that could indicate that the attack is originating on a relatively low speed network with 10.177.180/24 being behind that network. OTOH, if it is about the same, then the bandwidth for that network would be relatively high. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
|