Re: Smurf Amp Nets

["Richard Thomas" <buglord () ex-pressnet com>]

-----Original Message-----
From: Karl Denninger <karl () mcs net>
To: Vern Paxson <vern () ee lbl gov>
Cc: Andrew Herdman <andrew () whine com>; nanog () merit net <nanog () merit net>
Date: Friday, June 19, 1998 9:37 AM
Subject: Re: Smurf Amp Nets


> On Thu, Jun 18, 1998 at 10:16:38PM -0700, Vern Paxson wrote:
> > > 0.0.0.0
> > > 10.0.4.0
> > > 127.0.0.0
> > > 255.255.255.0
> >
> > These are pretty cool, I must say.  Exactly how does the smurf attacker
> > route their echo requests to them?
> >
> > Vern
>
> They are straight forged packet flows.

Nah those are machines on the relay being used sending those replies.
Sometimes from machines given those ips and sometimes from misconfigured
networks. I used to have one that would reply 500 times from 10.0.0.1. Just
because the broadcast being used is 1.2.3.255 does not mean you will only
get packets from 1.2.3.x, and conversely because you receive pings from
1.2.3.x and 1.2.4.x and 1.2.5.x does not necessarily mean there are 3
broadcasts being used. It could easily be only on 1.2.3.255 or even
1.2.69.255 for all you know (and I've seen strange cases of each). This is a
complication when you are getting your bcasts from logs of a smurf attack
because you never really know where those 10.0.0.0/8's come from, and a
complication when you are getting your bcasts from a network scan because
you sometimes see huge arrays of broadcasts that are actually just the same
hosts being repeated on different broadcasts (ex: you just found 1.2.3.255 -
1.2.203.255 all have 200 dupes each, but closer examination reveals every
broadcast returns replies from the same host). Fortunately these problems
are even more annoying to the smurf kiddies where it is important to have an
accurate estimation of the damage that will be inflicted.