[11485] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Jay R. Ashworth)
Wed Jul 30 17:24:03 1997
Date: Wed, 30 Jul 1997 16:44:15 -0400
From: "Jay R. Ashworth" <jra@scfn.thpl.lib.fl.us>
To: "Jordyn A. Buchanan" <jordyn@bestweb.net>
Cc: "Alex.Bligh" <amb@xara.net>, cisco-nsp@cic.net, nanog@merit.edu
In-Reply-To: <v0310281cb00548bcef8f@[208.197.0.27]>; from "Jordyn A. Buchanan" <jordyn@bestweb.net> on Wed, Jul 30, 1997 at 03:47:26PM -0400
On Wed, Jul 30, 1997 at 03:47:26PM -0400, Jordyn A. Buchanan wrote:
> The LAN is being used indirectly to attack another network. Pings are
> spoofed as originating from the machine that is being attacked and sent to
> the broadcast address on another network. This causes every machine on the
> receiving network to send an ECHO_RESPONSE to the machine being attacked,
> esentially creating a huge multiplying effect on a ping flood attack.
>
> Apparently, the MAE-East LAN is one of the networks that attackers are
> using to flood other hosts.
Time to attempt to put my other foot in my mouth.
Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
packets with destination address which are broadcast addresses?
Ok, yes, I know that CIDR makes this harder, but knowing which nets
fall on non-octet boundaries is non-obvious, too, and this particular
attack wasn't trying...
.255 is _always_ a broadcast address, no?
Cheers,
-- jra
--
Jay R. Ashworth jra@baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "People propose, science studies, technology
Tampa Bay, Florida conforms." -- Dr. Don Norman +1 813 790 7592
