[22545] in North American Network Operators' Group
Re: Huge smurf attack
daemon@ATHENA.MIT.EDU (Phil Howard)
Mon Jan 11 13:12:31 1999
From: Phil Howard <phil@whistler.intur.net>
To: jeremiah@fs.IConNet.NET (Jeremiah Kristal)
Date: Mon, 11 Jan 1999 11:52:09 -0600 (CST)
Cc: bross@mindspring.net, nanog@merit.edu
In-Reply-To: <Pine.GSO.3.92.990111114707.28827e-100000@fs.IConNet.NET> from "Jeremiah Kristal" at Jan 11, 99 12:14:04 pm
Jeremiah Kristal wrote:
> I agree that clueful operators filter RFC1918 addresses at their borders
> and that they do not accept advertisements for RFC1918 space, however,
> there is a specific network (10.177.180/24) that appears again and again
> in smurf logs. I find it rather interesting that with 65k available /24s
> in the 10/8 space, one specific /24 pops up much more often than any
> other. Granted it's not that large an amplifier, but it seems odd that
> even an RFC1918 network would be used as an amplifier for this long
> without someone finding and securing it.
My biggest suspicion is that the clueless script kiddie(s) involved did
a scan for amplifiers w/o regard to RFC1918 (the number of addresses in
RFC1918 is a mere 0.476% of the whole possible range), and never filtered
them out. They perhaps did make the attack slightly worse than w/o, so
maybe leaving them in was intended. Now if we can identify who has
10.177.180/24 internally, we could be getting somewhere.
One thing that could be useful when reducing attack sniff data to a list
of addresses is to produce a frequency of occurrence for each address.
There may be wide ranges in the frequencies. If 10.177.180/24 shows up
very rarely compared to the rest, that could indicate that the attack is
originating on a relatively low speed network with 10.177.180/24 being
behind that network. OTOH, if it is about the same, then the bandwidth
for that network would be relatively high.
--
-- *-----------------------------* Phil Howard KA9WGN * --
-- | Inturnet, Inc. | Director of Internet Services | --
-- | Business Internet Solutions | eng at intur.net | --
-- *-----------------------------* philh at intur.net * --
