Home page logo

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Jeremy Porter <jerry () freeside fc net>
Date: Mon, 20 Apr 1998 20:34:04 -0500

In message <199804210004.SAA02213 () meowy angio net>, Dave Andersen writes:
  Not really.  The lists of smurfable addresses on the net have contained
network numbers for a while now, or so goes the rumor on other lists.  It
could have come through someone scanning addresses sequentially to find a
broadcast address (mm, exciting job), or it could have come from a clueful
cracker somewhere else.  It doesn't take too many brains to use the
prepackaged hacking/crashing programs people can download off Bugtraq.

(OTOH, there are quite a few clueful crackers out there, who've found that
reading the RFCs is a good thing.  Crackers reading RFCs may not be a good
thing. :-)

If these attackers had been reading the RFCs years ago, these problems
would have been fixed on a much smaller network, causing less total
disruption.  But of course they were exploiting other security holes at
the time.  Security holes DON'T get fixed until they are exploited
on a large scale, this applies to gaping lapses in Internet design, due
to its origin of "cooperative" networks, things like sendmail and bind
defaulting to "trust everyone", i.e. sendmail relaying, and bind
additional RR poisoning.

There simply are too many things broken for someone to considering
fixing all the known issues before they are abused.  But
eventually we will see source filtering and "no ip directed broadcast",
but if sendmail relaying is any indication, it will be another year
and 1/2 before the first 90% of the problem is fixed.

Jeremy Porter, Freeside Communications, Inc.      jerry () fc net
PO BOX 80315 Austin, Tx 78708  | 512-458-9810

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]