Spoofed Packets

Aaaarrrggghhh! I have been under attack since 2:30AM HKT and it only
stopped just now.

I am quite familiar with smurfs. As a matter of fact, I have turned off
directed broadcast on every Cisco router I have. Constantly I am reminding
my clients to do the same thing. It is sad that some people out there
arent doing their part.

But what bothers me the most is this most recent attack. Smurfs are ICMPs
right? Well based on the logs I got, I was receiving all sorts of packets
from "non-routable" addresses. This floored my International Private Line
to MCI. I dont think they are smurfs because they do not belong to the
same network. The protocols vary too, udp, icmp and tcp. Even the ports
change. In other words, nothing is common except that they all pass thru
the same gateway to our network.

Being an ISP outside the US, bandwidth is very scarce and thus expensive
from where I come from. I am filtering these packets so they never reach
my clients. But still, the evil payload is dropped on my doorstep and it
still consumes my precious bandwidth. Shouldnt MCI, or any other provider
be filtering this on their borders? And if they are, there shouldn't be
any packets of this variety running around their links, right? So how do
these little blasted packets end up running around the internet?

I am going to be very grateful if some kind souls can help point me to
documentation on how to track these down and possible effectively prevent
it from eating my line.


Start here:


- paul

Sounds like that new nestea multi-protocol nuke

Gary R. Mensenares wrote: