[11475] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Jordyn A. Buchanan)
Wed Jul 30 16:29:44 1997
In-Reply-To: <199707301856.TAA21579@diamond.xara.net>
Date: Wed, 30 Jul 1997 15:47:26 -0400
To: "Alex.Bligh" <amb@xara.net>, cisco-nsp@cic.net
From: "Jordyn A. Buchanan" <jordyn@bestweb.net>
Cc: nanog@merit.edu
At 7:56 PM +0100 7/30/97, Alex.Bligh wrote:
>> Here's a list of KNOWN NETWORKS that are being used to ping
>> flood other networks. If one of your networks is in here, FILTER
>> BROADCAST PINGS NOW FROM ENTERING YOUR NETWORK. YOUR NETWORK IS BEING
>> USED TO ATTACK OTHER NETWORKS.
>
>> "204.71.177.255", "255.255.255.255", "207.137.200.255",
>>"192.41.177.255",
>
>Urm, 192.41.177.255 is the MAE-East LAN ?! Are you saying attacks are
>being mounted from here or people are attacking this LAN (not
>sure which is more worrying)
The LAN is being used indirectly to attack another network. Pings are
spoofed as originating from the machine that is being attacked and sent to
the broadcast address on another network. This causes every machine on the
receiving network to send an ECHO_RESPONSE to the machine being attacked,
esentially creating a huge multiplying effect on a ping flood attack.
Apparently, the MAE-East LAN is one of the networks that attackers are
using to flood other hosts.
Jordyn
|----------------------------------------------------------------|
|Jordyn A. Buchanan mailto:jordyn@bestweb.net |
|Bestweb Corporation http://www.bestweb.net |
|Senior System Administrator +1.914.271.4500 |
|----------------------------------------------------------------|
