Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Smurf Amp Nets

  • From: Martin, Christian
  • Date: Sat Jun 20 02:12:58 1998

>On Thu, Jun 18, 1998 at 10:16:38PM -0700, Vern Paxson wrote:
>> > 0.0.0.0
>> > 10.0.4.0
>> > 127.0.0.0
>> > 255.255.255.0
>>
>> These are pretty cool, I must say.  Exactly how does the smurf attacker
>> route their echo requests to them?
>>
>> Vern
>
>They are straight forged packet flows.


These also can be situations where layer two devices have private
networks mixed in with public networks on the same VLAN.  Remember
broadcast address translation between layer 3 & 2 through a
store-and-forward (or cut-through - any MIN type box will do this)
switch will generate MAC layer frames and deliver them out of each port
in the VLAN.  I know broadcast pings on a Cisco device that is connected
to a switch, where the output interface has IP block A, and the VLAN has
IP blocks C, D, E, will result in replies from all networks connected to
the VLAN, not just the IP block configured on the router.  This is why
on almost every attack we've seen here, there have been RFC 1918
addresses invlved as amplifiers.

Christian




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.