Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Broadcast pings.

  • From: Jamie Scheinblum
  • Date: Mon Dec 22 16:53:50 1997

Yeah that was my initial thought, but we've been hit now from multiple
nameservers (and constantly machines that are named "ns" or appear in a
'nic record).  I just found it odd that we're only getting hit from
machines matching this pattern.  I guess it was random, but you never
know :-)

Best regards,

Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
jamie@fast.net (610)954-5200 http://www.fast.net/
FASTNET - Business and Personal Internet Solutions

> -----Original Message-----
> From:	Al Roethlisberger [SMTP:aroethli@cisco.com]
> Sent:	Monday, December 22, 1997 3:23 PM
> To:	Jamie Scheinblum
> Cc:	nanog@merit.edu
> Subject:	Re: Broadcast pings.
> 
> At 12:50 PM 12/22/97 -0500, you wrote:
> >Has anyone seen an increase of broadcast pings, where the source
> route
> >appears to be from a nameserver?
> >
> >We took a look through our access-list logs, and it seems all of the
> >attempted attacks during the last few days have had an IP-source of a
> >nameserver.
> >
> >Just thought it was curious.
> >
> >Best regards,
> >
> >Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
> >jamie@fast.net (610)954-5200 http://www.fast.net/
> >FASTNET - Business and Personal Internet Solutions
> >
> 
> 
> Jamie,
> 
> It is probably just someone 'smurfing', where they fudge the source ip
> of
> the broadcast ping request.  The actual source of the ICMP request is
> probably entirely different than the nameserver you are seeing in your
> logs....hence the difficulty(although not impossible) tracking these
> attacks.
> 
> I would imagine that this poor nameserver in question is also
> suffering from
> the attack as well when all the pinged devices attempt to respond.
> You
> probably have one or more folks using the same dummy address for the
> source.
> This is the nature of the 'smurf' problem.
> 
> Check out:
> 
> http://www.quadrunner.com/~chuegen/smurf.cgi
> 
> This is a co-worker of mine that has put together some useful
> background and
> tips addressing this issue.
> 
> Hope that helps.
> 
> al
> 




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.