Home page logo

nanog logo nanog mailing list archives

Re: [nsp] known networks for broadcast ping attacks
From: "Jay R. Ashworth" <jra () scfn thpl lib fl us>
Date: Wed, 30 Jul 1997 16:44:15 -0400

On Wed, Jul 30, 1997 at 03:47:26PM -0400, Jordyn A. Buchanan wrote:
The LAN is being used indirectly to attack another network.  Pings are
spoofed as originating from the machine that is being attacked and sent to
the broadcast address on another network.  This causes every machine on the
receiving network to send an ECHO_RESPONSE to the machine being attacked,
esentially creating a huge multiplying effect on a ping flood attack.

Apparently, the MAE-East LAN is one of the networks that attackers are
using to flood other hosts.

Time to attempt to put my other foot in my mouth.

Ought IP stack implementations not to refuse to reply to ECHO_REQUEST
packets with destination address which are broadcast addresses?

Ok, yes, I know that CIDR makes this harder, but knowing which nets
fall on non-octet boundaries is non-obvious, too, and this particular
attack wasn't trying...

.255 is _always_ a broadcast address, no?

-- jra
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]