[8886] in bugtraq

home help back first fref pref prev next nref lref last post

Re: netscan.org - broadcast ICMP list

daemon@ATHENA.MIT.EDU (Fyodor)
Fri Jan 1 15:36:45 1999

Date: 	Thu, 31 Dec 1998 15:22:14 -0500
Reply-To: Fyodor <fyodor@DHP.COM>
From: Fyodor <fyodor@DHP.COM>
To: BUGTRAQ@NETSPACE.ORG

> http://netscan.org has the first (relatively) complete database of ICMP
> directed broadcast networks ("smurf amplifiers").  All allocated IP
> addresses ending in .0 or .255 have been pinged and measured

On their page they say they are not going to release the scanner they use
to test networks for the problem -- people should use their web query form
instead.  This is unfortunate because the query form (like their database)
seems to only check .0 and .255 addresses.  Also it only seems to do class
'C' addresses, meaning that you have to type in 256 addresses, one at a
time, to do a class 'B'.

To save people this effort, I thought I'd mention that for the last 9
months nmap has had the capability to locate smurf addresses on your
network.  It allows you to specify which addresses to ping and it does the
scan in parallel using the ICMP ping ID and sequence number to demultiplex
the responses.

As a quick example, lets say you run the class 'B' 209.12 (I picked this
as a "random" occupied net -- use your own numbers).  You want to include
6-bit subnets, so you want to check addresses ending in
0,63,64,127,128,191,192, or 255.

The command you would use is:

nmap -n -sP -PI -o smurf.log '209.12.*.0,63,64,127,128,191,192,255'

From my machine it took 3 minutes to find 392 smurf addresses.  Notice
that 209.12.147.127, 209.12.17.63, 209.12.228.191 all have at least 20X
amplification, and these addresses would not be discoverd by checking only
.0 and .255 addresses.

Some admins have told me they run nmap every day or week from cron to warn
them of new machines popping up on their network, new ports opening up,
new smurf addresses, boxes that change their operating systems, etc.

Nmap can be obtained from http://www.insecure.org/nmap/ .

Cheers,
Fyodor


--
Fyodor                            'finger pgp@www.insecure.org | pgp -fka'
"Girls are different from hacking. You can't just brute force them if all
else fails." --SKiMo, quoted in _Underground_ (good book)

home help back first fref pref prev next nref lref last post