Home page logo

nanog logo nanog mailing list archives

Re: Spoofed Packets
From: Henry Linneweh <linneweh () concentric net>
Date: Mon, 20 Apr 1998 09:23:50 -0700

Sounds like that new nestea multi-protocol nuke

Gary R. Mensenares wrote:

Aaaarrrggghhh! I have been under attack since 2:30AM HKT and it only
stopped just now.

I am quite familiar with smurfs. As a matter of fact, I have turned off
directed broadcast on every Cisco router I have. Constantly I am reminding
my clients to do the same thing. It is sad that some people out there
arent doing their part.

But what bothers me the most is this most recent attack. Smurfs are ICMPs
right? Well based on the logs I got, I was receiving all sorts of packets
from "non-routable" addresses. This floored my International Private Line
to MCI. I dont think they are smurfs because they do not belong to the
same network. The protocols vary too, udp, icmp and tcp. Even the ports
change. In other words, nothing is common except that they all pass thru
the same gateway to our network.

Being an ISP outside the US, bandwidth is very scarce and thus expensive
from where I come from. I am filtering these packets so they never reach
my clients. But still, the evil payload is dropped on my doorstep and it
still consumes my precious bandwidth. Shouldnt MCI, or any other provider
be filtering this on their borders? And if they are, there shouldn't be
any packets of this variety running around their links, right? So how do
these little blasted packets end up running around the internet?

I am going to be very grateful if some kind souls can help point me to
documentation on how to track these down and possible effectively prevent
it from eating my line.


Gary Mensenares
IPhil Communications Network Incorporated


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]