smurf amp nets, the registry (SAR)

The biggest I've ever found is, depending on the host you ping
it from you can get between 900-1200 dupes, all from which
reverses to I've mailed at&t about
this several times and have gotten no response.

On another note, I wrote a broadcast scanner about a month ago that scans
many ips in parallel so its quite fast. I took a swat at a fairly good sized
chunk of the internet in about 24 hours and spent the next week mailing
everyone with more then 10 dupes. The breakdown of replies was something
like this (out of 900 received):

40% thanking me for pointing out a router or broadcast they missed
30% from an uplink informing me they have done the filtering for a customer
10% auto-replies
9% from people who tried to tell me they were secured (they weren't) =)
3% complaints from MCI 'cause the mail was going to the wrong department
3% hate mail from people convinced I was flooding their network
3% from people telling me they no longer maintained those networks
1% people telling me that I just found a 200 dupe network on an isdn line.
1% misc. stuff

of the messages from people telling me they had patched themselves, 15% were
not or missed a broadcast (like filtering .255 and missing .0). However
after pointing this out I believe almost all were patched properly.

About 1 week later I manually tested some of the biggest broadcasts and
amazingly enough almost ALL were patched. Unfortunately despite this success
it seems my uplink received some rather nasty calls from people complaining
about the scanning, so I was unable to continue scanning from that location.

The slowest part of the process is the rwhois'ing of each /24, not to
mention the 10 min timeout after 100 or so rwhois lookups. I made a slight
effort to spread the load out among vhosts and to do parallel lookups but
wasn't able to get it functional.

The least responsive networks seem to be military based. I easily had 1000
networks on or (large numbers of dupes btw) with
dud contact information.

If anyone has a system they can donate for scanning or would like to work on
a better anti-smurf project, let me know.

wow.. that ruled...

taner@coredump:~ >wc FILE
   7804 78004 823296 FILE

that was from a ping | grep 'seq=0' | tee FILE, and I waited
until it stopped scrolling (and them some for good measure).

good lord...

I got some of these, too:

taner@coredump:~ >grep "Time to live exceeded" FILE | sort | uniq -c
     14 packet seq=0 bounced at Time to live exceeded
      7 packet seq=0 bounced at Time to live exceeded
      7 packet seq=0 bounced at Time to live exceeded
      7 packet seq=0 bounced at Time to live exceeded


Anyone from AT&T listening? :slight_smile: