RE: Broadcast pings.

[Al Roethlisberger <aroethli () cisco com>]

At 04:04 PM 12/22/97 -0500, you wrote:
> Yeah that was my initial thought, but we've been hit now from multiple
> nameservers (and constantly machines that are named "ns" or appear in a
> 'nic record).  I just found it odd that we're only getting hit from
> machines matching this pattern.  I guess it was random, but you never
> know :-)

hmm, don't know.  But it may be that a casual hacker that has recently
jumped on the smurf bandwagon may be using ns addresses as they are so
readily available. 

I have often been surprised at the lack of real knowledge some of the
perpetrators have had in some of these cases.  They just get the code, plug
in some easy data(like their ISPs ns) and away they go.  Fortunately for us,
many of these folks don't know how to choose large enough networks to ping,
so we often come out OK.

Or maybe 'someone' just discovered nslookup =) and decided to use that data.  

Who knows though.... it is certainly hard to tell sometimes.

al

> Best regards,
>
> Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
> jamie () fast net (610)954-5200 http://www.fast.net/
> FASTNET - Business and Personal Internet Solutions
>
> > -----Original Message-----
> > From:        Al Roethlisberger [SMTP:aroethli () cisco com]
> > Sent:        Monday, December 22, 1997 3:23 PM
> > To:  Jamie Scheinblum
> > Cc:  nanog () merit edu
> > Subject:     Re: Broadcast pings.
> >
> > At 12:50 PM 12/22/97 -0500, you wrote:
> > > Has anyone seen an increase of broadcast pings, where the source
> > route
> > > appears to be from a nameserver?
> > >
> > > We took a look through our access-list logs, and it seems all of the
> > > attempted attacks during the last few days have had an IP-source of a
> > > nameserver.
> > >
> > > Just thought it was curious.
> > >
> > > Best regards,
> > >
> > > Jamie Scheinblum - FASTNET(tm) / You Tools Corporation
> > > jamie () fast net (610)954-5200 http://www.fast.net/
> > > FASTNET - Business and Personal Internet Solutions
> >
> >
> > Jamie,
> >
> > It is probably just someone 'smurfing', where they fudge the source ip
> > of
> > the broadcast ping request.  The actual source of the ICMP request is
> > probably entirely different than the nameserver you are seeing in your
> > logs....hence the difficulty(although not impossible) tracking these
> > attacks.
> >
> > I would imagine that this poor nameserver in question is also
> > suffering from
> > the attack as well when all the pinged devices attempt to respond.
> > You
> > probably have one or more folks using the same dummy address for the
> > source.
> > This is the nature of the 'smurf' problem.
> >
> > Check out:
> >
> > http://www.quadrunner.com/~chuegen/smurf.cgi
> >
> > This is a co-worker of mine that has put together some useful
> > background and
> > tips addressing this issue.
> >
> > Hope that helps.
> >
> > al