[16322] in North American Network Operators' Group
Re: Spoofed Packets
daemon@ATHENA.MIT.EDU (Henry Linneweh)
Mon Apr 20 12:32:35 1998
Date: Mon, 20 Apr 1998 09:23:50 -0700
From: Henry Linneweh <linneweh@concentric.net>
To: "Gary R. Mensenares" <jug@noc.gw.iphil.net>
CC: nanog@merit.edu
Sounds like that new nestea multi-protocol nuke
Gary R. Mensenares wrote:
> Aaaarrrggghhh! I have been under attack since 2:30AM HKT and it only
> stopped just now.
>
> I am quite familiar with smurfs. As a matter of fact, I have turned off
> directed broadcast on every Cisco router I have. Constantly I am reminding
> my clients to do the same thing. It is sad that some people out there
> arent doing their part.
>
> But what bothers me the most is this most recent attack. Smurfs are ICMPs
> right? Well based on the logs I got, I was receiving all sorts of packets
> from "non-routable" addresses. This floored my International Private Line
> to MCI. I dont think they are smurfs because they do not belong to the
> same network. The protocols vary too, udp, icmp and tcp. Even the ports
> change. In other words, nothing is common except that they all pass thru
> the same gateway to our network.
>
> Being an ISP outside the US, bandwidth is very scarce and thus expensive
> from where I come from. I am filtering these packets so they never reach
> my clients. But still, the evil payload is dropped on my doorstep and it
> still consumes my precious bandwidth. Shouldnt MCI, or any other provider
> be filtering this on their borders? And if they are, there shouldn't be
> any packets of this variety running around their links, right? So how do
> these little blasted packets end up running around the internet?
>
> I am going to be very grateful if some kind souls can help point me to
> documentation on how to track these down and possible effectively prevent
> it from eating my line.
>
> Thanks!
>
> ---
> Gary Mensenares
> IPhil Communications Network Incorporated
--
™�¢�4i1å��
