This topic needs a title

John Fraizer wrote:

The thing that makes it "interesting" is the fact that most implementations
DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in
the neighborhood of 1.7Mb before they routed the netblock in question to a
loopback interface on the 7507. The attacker was sending less that 300Kb
of traffic and consuming 2Mb.

Any idea where that much amplification is coming from? For smurf with an echo
request to
a broadcast, its easy to see why there is so much amplification. But for a TCP
or UDP
packet to port 0, wouldn't just one port unreachable be sent back to the
(spoofed) source?
Or is it a broadcast TCP or UDP packet to port 0 ???

Sean Butler, IBM Global Services