smurf's attack...

Network_Admin_Accoun · September 5, 1997, 3:12pm

The following network numbers were pulled from a program called "smurf".
The program sends a large amount of spoofed traffic at broadcast addresses,
hoping their echo packets will be magnified and sent to the spoofed address.
The providers/machines most commonly hit are IRC servers and providers.
To prevent from being an intermediary, one must turn off "ip directed
broadcasts" on the router's interface.

      "198.3.101.255", "204.71.177.0", "192.41.177.255",
      "206.13.28.255", "144.228.20.255", "206.137.184.255",
      "198.32.186.255", "130.63.236.255", "208.202.14.255",
      "208.131.162.255", "199.171.6.255", "207.124.104.255",
      "205.180.58.255", "198.3.98.0", "131.104.96.255",
      "143.43.32.0", "131.215.48.0", "204.117.214.0",
      "143.43.32.255",
      "130.235.20.255", "206.79.254.255", "199.222.42.255",
      "204.71.242.255", "204.162.80.0", "128.194.103.255",
      "207.221.53.255", "207.126.113.255", "198.53.145.255",
      "209.25.21.255", "194.51.83.255", "207.51.48.255",
      "129.130.12.255", "192.231.221.255", "168.17.197.255",
      "198.242.55.255", "130.160.224.255", "128.83.40.255",
      "131.215.48.255", "169.130.10.255", "207.20.7.255",
      "163.179.1.0", "129.16.1.0", "128.122.27.255",
      "132.236.230.255", "198.32.146.255", "192.41.177.0",
      "192.41.177.255", "203.25.25.255", "128.82.4.255",
      "128.6.5.255", "206.80.169.255" "204.71.154.255"
      "204.127.236.255", "192.41.177.255", "129.200.193.255"
      "130.1.200.255", "130.1.91.255", "130.1.87.255"
      "207.155.93.255", "129.245.110.255", "207.155.121.255"
      "203.252.5.255", "128.6.5.255", "128.82.4.255"
      "129.245.75.255", "129.245.5.255", "206.7.114.255"
      "130.1.200.255", "129.245.17.255", "129.245.15.255"

Jay_R_Ashworth · September 5, 1997, 3:22pm

The notice is appreciated. You're new on NANOG, right?

Someone else posted this about a month ago. I stuck my foot in my
mouth up to about the ankle misinterpreting the attack, as everyone was
kind enough to point out to me...

Cheers,
-- jra

David_Papp · September 5, 1997, 3:43pm

What are the implications of turning off "ip directed broadcasts" on our
routers? Or is this something that all backbone providers or ISPs
automatically do (kind of like "ip classless" and "ip subnet-zero")?

Thx...David

Jordyn_A_Buchanan · September 5, 1997, 7:24pm

What are the implications of turning off "ip directed broadcasts" on our
routers? Or is this something that all backbone providers or ISPs
automatically do (kind of like "ip classless" and "ip subnet-zero")?

This was covered in some detail about a month ago, so you could check the
list's archives. The operational implications of turning off "ip directed
broadcasts" seem negligible--there are very few circumstances in which you
*need* to send packets to the broadcast address on another network.

I would hope that this becomes "automatic" like the other commands you mention.
I can think of very few circumstances in which you need directed
broadcasts, yet by permitting them, you allow your network to be used in
attacks against others.

We're also using the following extended access list (along with
anti-spoofing filters) to prevent smurf attacks from originating from our
network:

access-list XXX deny ip any 0.0.0.255 255.255.255.0

But that's just us...

Jordyn

Bandy_Rush1 · September 5, 1997, 7:55pm

access-list XXX deny ip any 0.0.0.255 255.255.255.0

You must be kidding. Why not

access-list XXX deny ip any 0.0.0.42 255.255.255.0

randy

Jay_R_Ashworth · September 5, 1997, 8:11pm

In your usual, inimitable, "everyone ought to understand my comment"
style, Randy.

Because ".255" is very often (I'm tempted to say "almost always" a
broadcast address, and ".42" never is. (I haven't run the numbers, but
I'm fairly certain that .42 is not the broadcast address of any size
network.)

Cheers,
-- jra

Dave_Bergum · September 5, 1997, 9:36pm

But 42 is the ultimate answer to life, the Universe and Everything!

Jon_Lewis · September 6, 1997, 7:14pm

As I feared would happen, there seem to be multiple versions of smurf out
with different amplifier network lists. FDT was smurfed for about an hour
last night, and of the list of broadcast addresses posted very few were used
in last night's attack...and a large number of the nets used were not in the
posted list.

Some of the more heavily populated (and thus nastier) amplification nets
used last night follow.

If you're on this list, PLEASE FIX YOUR ROUTERS. If you're using Cisco's,
its probably as simple as adding "no ip directed-broadcast" to the
ethernet interfaces on your routers.

Also, what's the deal with Internic allowing registrations with things
like nomailbox@NOWHERE? That's an incredibly useful contact. If Kent
Percival is in charge of a university's network, surely he has an email
address. Maybe it's time for a smurf amplifier blackhole list. If you're
used as a smurf amplifier, you get BGP blackholed for say 6 hours, and on
each subsequent occurance, the time doubles. I bet that would fix the
problem real fast.

[85 hosts responding]
SURAnet (NET-MAE-EAST)
8400 Baltimore Boulevard
College Park, MD 20740

Netname: MAE-EAST
Netnumber: 192.41.177.0

   Coordinator:
      SURAnet (SURA-NOC) noc@sura.net hostmaster@sura.net
      (301) 982-3214

[24 hosts responding]
CNet (NETBLK-NETBLK-CNET)
   150 Chestnut Street
   San Francisco, CA 94111
   US

   Netname: NETBLK-CNET
   Netblock: 204.162.80.0 - 204.162.87.0
   Maintainer: RGN

   Coordinator:
      Emery, Ken (KE53) ken@CNET.COM
      (415) 395-7805 x569

[32 hosts responding]
Internet Communications of America (NETBLK-UU-208-202-14)
   1020 N.W. 163rd Drive
   Miami, FL 33169
   US

Netname: UU-208-202-14
Netblock: 208.202.14.0 - 208.202.15.255

   Coordinator:
      Neptune, Mark (MN182) postmaster@ICANET.NET
      305-621-9200

[21 hosts responding]
LI Net Inc. (NET-LI-NET)
   45 Manor Rd.
   Smithtown, NY 11787
   US

   Netname: LI-NET
   Netnumber: 199.171.6.0
   Maintainer: LI

   Coordinator:
      Reilly, Michael (MR113) mpr@LI.NET
      516-265-0997
   Alternate Contact:
      Harris, Jon (JH201) jon@LI.NET
      516-265-0997

[29 hosts responding]
University of Guelph (NET-UOGUELPH)
Guelph, Ontario, N1G 2W1
CANADA

Netname: UOGUELPH
Netnumber: 131.104.0.0

   Coordinator:
      Percival, Kent (KP50) nomailbox@NOWHERE
      +1 (519) 824-4120 ext. 6397