[22540] in North American Network Operators' Group
Re: Huge smurf attack
daemon@ATHENA.MIT.EDU (Jeremiah Kristal)
Mon Jan 11 10:34:33 1999
Date: Mon, 11 Jan 1999 10:11:48 -0500 (EST)
From: Jeremiah Kristal <jeremiah@fs.IConNet.NET>
To: Phil Howard <phil@whistler.intur.net>
cc: Brandon Ross <bross@mindspring.net>, nanog@merit.edu
In-Reply-To: <199901100417.WAA21428@whistler.intur.net>
On Sat, 9 Jan 1999, Phil Howard wrote:
> Brandon Ross wrote:
>
> > ftp://ftp.mindspring.net/users/bross/smurfsources
>
> I find it slightly interesting that some private addresses were in the
> list. There were some addresses in 10/8, 172.16/12, and 192.168/16.
> Thus the source of the attack must have had some addresses in these
> private network ranges reachable somehow, either internally in the
> network the attacker(s) originate, or routes leaking onto the internet.
> If the former, that would mean they had the capacity from that internal
> network to carry the forged echo requests as well as those private
> sourced echo replies.
I find it even more interesting how often I see 10.177.180.0/24 showing up
in smurf logs. Is there some equipment that defaults to this network,
some manual that uses this as an example, or is there a specific LAN that
gets hit on every major smurf attack? If it's really one network, you
would think we could find and provide clue to the operator(s).
Jeremiah
