Re: smurf attack.

On Mon, Dec 29, 1997 at 09:32:26AM -0800, Colin Coller wrote:
> i think i was used as an intermediary in a bunch of smurf attacks early
> yesterday morning. i've got about four megabytes of tcpdump output of
> echo requests from different hosts to 255.255.255.255.
>
> [root@colin /root]# tcpdump icmp -i eth0 | grep request
> tcpdump: listening on eth0
> 01:27:21.409738 rsfq1.physics.sunysb.edu > 255.255.255.255: icmp: echo request (ttl 246, id 55851)
> 01:27:21.429738 c2.constant.com > 255.255.255.255: icmp: echo request (ttl 246, id 55877)
> 01:27:21.439738 c2.constant.com > 255.255.255.255: icmp: echo request (ttl 246, id 55887)
> 01:27:21.449738 rsfq1.physics.sunysb.edu > 255.255.255.255: icmp: echo request (ttl 246, id 55894)
> 01:27:21.469738 rsfq1.physics.sunysb.edu > 255.255.255.255: icmp: echo request (ttl 246, id 55921)
> 01:27:21.489738 rsfq1.physics.sunysb.edu > 255.255.255.255: icmp: echo request (ttl 246, id 55951)

sasktel is working on fixing it, hopefully by simply NOT forwarding in broadcast icmp echo requests
to us adsl'ers.

i've been noticing the attacks starting around the 20th of december, and started a log
off all icmp's coming to my box, 38 THOUSAND packets in the last 24 hours. thats friggin
rediculous. i'd be willing to be its someone on irc that's amusing himself
by ping-flooding people off irc. (given by the short durations of the attacks,
and that alot of the victim ip's tend to be dialup ppp lines)

 
> i talked to the administrator of sunysb.edu and he said that there had
> been some silliness on the #shells channel that evening. i can only
> assume that some idiot with adsl was kicked off of #shells and decided to
> smurf everyone else on the channel.

can someone confirm that one HAS to be inside our adsl subnet to do the attack,
i was under the impression that anyone outside our subnet would be able to do
the attack (would we be able to snag the hardware ethernet "mac" address if the attacker
were actually in our subnet?..would only be usefull to prove/disprove suspects)
 
> for those of you who don't know what a smurf attack is, it involves
> forging an icmp echo request from the host to attack, sending it to a
> broadcast address and letting all of the hosts who receive the icmp
> echo request send an icmp echo reply back. it's a magnified ping flood
> which disguises the real attacker.
>
> did anyone notice anything else unusual yesterday morning at about 1:00?

didnt get anything at 1am....2am the victim was wnpgas07-p18.mts.net 205.200.18.224 for at least
half an hour, then a minute later, wailed on another victim for a good 10 minutes.

the pathetic part is, when this is all going on, all our ping times to the gateway
go absolutely for shit. talking 5-7 SECONDS, rather than the usual "low ping bastard"
heaven of 27ms...definitely makes for a ugly game of quakeworld.

 
> can anyone see how this might impact those of us with adsl who are going
> to be restricted to one gigabyte of bandwidth every month and then have
> to pay per megabyte? i already have a rant in to sasktel about this.
>
> can anyone see how we might prevent this sort of thing? i've already
> firewalled icmp traffic, so i'm not sending icmp echo replies, but i'd
> hate to be mistaken for an attacker and firewalled from useful services
> because everyone else in my subnet is.
>
> colin

i can only hope that sasktel will fix it, and given the mail i've received so
far from them, they want it fixed as much as we do. at least i havent seen
an attack since 11:25am today (2:10pm as a write this)

--
Mark Duguid         Saskatoon, Saskatchewan         highbit@spooge.ml.org
Linux -- simply a matter of pride.
Microsoft -- how can we make it shittier so we can sell more upgrades.