nanog mailing list archives
Re: Huge smurf attack
From: Jeremiah Kristal <jeremiah () fs IConNet NET>
Date: Mon, 11 Jan 1999 10:11:48 -0500 (EST)
On Sat, 9 Jan 1999, Phil Howard wrote:
Brandon Ross wrote:ftp://ftp.mindspring.net/users/bross/smurfsourcesI find it slightly interesting that some private addresses were in the list. There were some addresses in 10/8, 172.16/12, and 192.168/16. Thus the source of the attack must have had some addresses in these private network ranges reachable somehow, either internally in the network the attacker(s) originate, or routes leaking onto the internet. If the former, that would mean they had the capacity from that internal network to carry the forged echo requests as well as those private sourced echo replies.
I find it even more interesting how often I see 10.177.180.0/24 showing up in smurf logs. Is there some equipment that defaults to this network, some manual that uses this as an example, or is there a specific LAN that gets hit on every major smurf attack? If it's really one network, you would think we could find and provide clue to the operator(s). Jeremiah
Current thread:
- Huge smurf attack Brandon Ross (Jan 09)
- Re: Huge smurf attack Brandon Ross (Jan 09)
- Re: Huge smurf attack Brandon Ross (Jan 09)
- <Possible follow-ups>
- Re: Huge smurf attack Brandon Ross (Jan 09)
- Re: Huge smurf attack Phil Howard (Jan 09)
- Re: Huge smurf attack Jeremiah Kristal (Jan 11)
- Re: Huge smurf attack Joe Shaw (Jan 11)
- Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Huge smurf attack Jeremiah Kristal (Jan 11)
- Re: Huge smurf attack Phil Howard (Jan 11)
- Re: Huge smurf attack Dalvenjah FoxFire (Jan 11)
- Re: Huge smurf attack Alex P. Rudnev (Jan 11)
- Re: Huge smurf attack Dan Hollis (Jan 11)
- Solution: Re: Huge smurf attack Jon Lewis (Jan 11)
- Re: Solution: Re: Huge smurf attack Dan Hollis (Jan 11)
- Re: Solution: Re: Huge smurf attack Jon Lewis (Jan 11)
- Re: Huge smurf attack Phil Howard (Jan 09)
- Re: Huge smurf attack Brandon Ross (Jan 09)