Bugtraq mailing list archives

Re: netscan.org - broadcast ICMP list

From: fyodor () DHP COM (Fyodor)
Date: Thu, 31 Dec 1998 15:22:14 -0500

http://netscan.org has the first (relatively) complete database of ICMP
directed broadcast networks ("smurf amplifiers").  All allocated IP
addresses ending in .0 or .255 have been pinged and measured


On their page they say they are not going to release the scanner they use
to test networks for the problem -- people should use their web query form
instead.  This is unfortunate because the query form (like their database)
seems to only check .0 and .255 addresses.  Also it only seems to do class
'C' addresses, meaning that you have to type in 256 addresses, one at a
time, to do a class 'B'.

To save people this effort, I thought I'd mention that for the last 9
months nmap has had the capability to locate smurf addresses on your
network.  It allows you to specify which addresses to ping and it does the
scan in parallel using the ICMP ping ID and sequence number to demultiplex
the responses.

As a quick example, lets say you run the class 'B' 209.12 (I picked this
as a "random" occupied net -- use your own numbers).  You want to include
6-bit subnets, so you want to check addresses ending in
0,63,64,127,128,191,192, or 255.

The command you would use is:

nmap -n -sP -PI -o smurf.log '209.12.*.0,63,64,127,128,191,192,255'

From my machine it took 3 minutes to find 392 smurf addresses.  Notice

that 209.12.147.127, 209.12.17.63, 209.12.228.191 all have at least 20X
amplification, and these addresses would not be discoverd by checking only
.0 and .255 addresses.

Some admins have told me they run nmap every day or week from cron to warn
them of new machines popping up on their network, new ports opening up,
new smurf addresses, boxes that change their operating systems, etc.

Nmap can be obtained from http://www.insecure.org/nmap/ .

Cheers,
Fyodor


--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
"Girls are different from hacking. You can't just brute force them if all
else fails." --SKiMo, quoted in _Underground_ (good book)

Current thread:

Re: netscan.org - broadcast ICMP list Fyodor (Dec 31)
- Deception Toolkit on SCO root6 (Jan 01)
- nmap can crash microsoft telnetd Tomas Halgas (Jan 02)
- Re: netscan.org - broadcast ICMP list Troy Davis (Jan 02)
- UNIX ELF PARASITES AND VIRUS silvio () BIG NET AU (Jan 02)
- <Possible follow-ups>
- Re: netscan.org - broadcast ICMP list Troy Davis (Dec 31)
- Re: netscan.org - broadcast ICMP list eric lindvall (Dec 31)