Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: shields () crosslink net (Michael Shields)
Date: 13 Apr 1998 09:51:03 +0000

In article <Pine.BSI.3.93.980412085359.7879a-100000 () sidhe memra com>,
Michael Dillon <michael () memra com> wrote:
If Karl will supply us the IP address of a non-critical machine in his
network then we only need one list maintained. Anyone can then add new
networks to Karl's list simply by smurfing his non-critical machine and it
will still meet his criteria of a verified atack.

Careful.  I could, from a well-connected machine, launch a stream of
forged ICMP echo replies from various 199.166.227.x addresses.  This
would cause it to look like junction.net was the source of a smurf,
and cause them to be blocked.

Well, in the case of junction.net, there is no such forgery needed.

    ~$ host www.memra.com
    www.memra.com           A       199.166.227.56
    ~$ ping 199.166.227.255
    PING 199.166.227.255 (199.166.227.255): 56 data bytes
    64 bytes from 134.87.109.226: icmp_seq=0 ttl=243 time=110.2 ms
    64 bytes from 199.166.227.41: icmp_seq=0 ttl=51 time=111.0 ms (DUP!)
    64 bytes from 199.166.227.32: icmp_seq=0 ttl=242 time=112.2 ms (DUP!)
    64 bytes from 199.166.227.54: icmp_seq=0 ttl=51 time=112.8 ms (DUP!)
    64 bytes from 199.166.227.5: icmp_seq=0 ttl=51 time=113.7 ms (DUP!)
    64 bytes from 199.166.227.27: icmp_seq=0 ttl=51 time=114.3 ms (DUP!)
    64 bytes from 199.166.227.22: icmp_seq=0 ttl=51 time=115.0 ms (DUP!)
    64 bytes from 199.166.227.1: icmp_seq=0 ttl=51 time=115.7 ms (DUP!)
    64 bytes from 199.166.227.12: icmp_seq=0 ttl=242 time=116.4 ms (DUP!)
    64 bytes from 199.166.227.19: icmp_seq=0 ttl=51 time=117.0 ms (DUP!)
    64 bytes from 199.166.227.21: icmp_seq=0 ttl=242 time=117.7 ms (DUP!)
    64 bytes from 199.166.227.28: icmp_seq=0 ttl=51 time=118.3 ms (DUP!)
    64 bytes from 199.166.227.26: icmp_seq=0 ttl=242 time=119.0 ms (DUP!)

    --- 199.166.227.255 ping statistics ---
    1 packets transmitted, 1 packets received, +12 duplicates, 0% packet loss
    round-trip min/avg/max = 110.2/114.8/119.0 ms

-- 
Shields, CrossLink.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]