[17541] in North American Network Operators' Group
No subject found in mail header
daemon@ATHENA.MIT.EDU (Sean Butler)
Thu Jun 4 14:52:10 1998
From: Sean Butler <sebutler@us.ibm.com>
To: <nanog@merit.edu>
Date: Thu, 4 Jun 1998 14:49:35 -0400
John Fraizer wrote:
>The thing that makes it "interesting" is the fact that most implementations
>DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in
>the neighborhood of 1.7Mb before they routed the netblock in question to a
>loopback interface on the 7507. The attacker was sending less that 300Kb
>of traffic and consuming 2Mb.
Any idea where that much amplification is coming from? For smurf with an echo
request to
a broadcast, its easy to see why there is so much amplification. But for a TCP
or UDP
packet to port 0, wouldn't just one port unreachable be sent back to the
(spoofed) source?
Or is it a broadcast TCP or UDP packet to port 0 ???
Thanks,
Sean Butler, IBM Global Services