Eskimo North

          [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

          Ping "attack" ? (fwd)

          • To: outages-list@eskimo.com
          • Subject: Ping "attack" ? (fwd)
          • From: Robert Dinse <nanook@eskimo.com>
          • Date: Wed, 8 Apr 1998 01:01:48 -0700 (PDT)
          • cc: cert@cert.org
          • Resent-Date: Wed, 8 Apr 1998 01:01:54 -0700
          • Resent-From: outages-list@eskimo.com
          • Resent-Message-ID: <"z4Hg43.0._q7.nxoAr"@mx1>
          • Resent-Sender: outages-list-request@eskimo.com
          
     We have been having some problems today and yesterday with one of our
links, this e-mail which I received tells the reason (though the person sending
it didn't understand it).  Someone has made us the target of a "smurf" attack. 
This is an ICMP flood attack where an intermediate network is sent ICMP echo
request packets with the originating address forged to be that of the target
and those are sent to the broadcast address of the intermediate network. 

     What this does is, if the intermediate network allows broadcast packets
from the outside world, causes every host on the intermediate network to send
ICMP echo reply packets to the target host that is the forged source address.
This smurf attack was directed at, amoung other things, chat.eskimo.com.  And
while ICMP is filtered here, and while Sprint queues it at lowest priority to
prevent it from stopping other traffic from getting through, it still increases
the load on the router CPU to the point where it starts flaking out, thus
affecting service. 

     Because the source address is forged, it is very difficult to determine
the true origin of the attack.  However, because of the particular choice of
targets, I have a pretty good idea of who, or what group of people were
responsible for this one.  The difficulty is proving it and getting law
enforcement to do anything about it. 

---------- Forwarded message ----------
Date: Wed, 08 Apr 1998 09:35:29 +0200
From: Craig Faasen <craig.faasen@diasemi.de>
To: hostmaster@CS.Berkeley.EDU, hostmaster@nada.kth.se,
    hostmaster@microsoft.com, hostmaster@u.washington.edu,
    hostmaster@daxnet.no, hostmaster@waterw.com, hostmaster@dhp.com,
    hostmaster@pangea.ca, hostmaster@eskimo.com, hostmaster@polyester.net,
    hostmaster@ba.best.com, hostmaster@prismapkg.com,
    hostmaster@datagrid.com, hostmaster@ionet.net, hostmaster@ais.net,
    hostmaster@magic.mb.ca, hostmaster@spyderwebb.com,
    hostmaster@mindspring.com, hostmaster@anet-chi.com,
    hostmaster@kwiknet.net, hostmaster@martnet.com, hostmaster@sprint.ca,
    hostmaster@dialup.954access.net
Subject: Ping "attack" ?

My apologies in advance for this broadcast; I realize that "hostmaster"
may well not be the appropriate recipient for this message - however, I
simply do not have time to contact all relevant whois servers in order
to identify the respective admin contacts.

In the early hours (from about mid-night until 05h00 MET) of this
morning, all of the hosts listed below sent (sometimes repeatedly)
'ping' packets to *every* host on our network.

128.32.42.75    iwojima.CS.Berkeley.EDU
130.237.227.21  dront.nada.kth.se
131.107.3.28    tide18.microsoft.com
140.142.12.67   becker1.u.washington.edu
193.216.147.78  mp-147-78.daxnet.no
199.171.193.1   water.waterw.com
199.245.105.1   shell.dhp.com
204.112.101.109 surf.pangea.ca
204.122.16.78   chat.eskimo.com
205.133.127.110 freaky.polyester.net
206.184.139.133 shell2.ba.best.com
206.190.26.210  ntserver.prismapkg.com
206.245.228.32  noc.datagrid.com
206.41.128.8    irc.ionet.net
207.154.187.187 merlin.ais.net
207.161.152.101 ra.magic.mb.ca
207.212.130.247 ppp-247-23.spyderwebb.com
207.69.200.132  irc.mindspring.com
207.7.4.6       zeus.anet-chi.com
207.86.141.6    access.kwiknet.net
208.222.251.2   merv.martnet.com
209.103.29.242  spc-isp-ott-uas-05-41.sprint.ca
209.203.195.149 209-203-195-149.dialup.954access.net

Although I am aware that icmp can be used in an attack, I do not
currently regard this is a threat (mainly due to the "respectable"
domain names involved). On the other hand, I also do not regard it as
being particularly friendly - if I had a dial-up line to my ISP, the
phones costs incurred in keeping the line up would be passed on to me.

I am very curious to know why 23 independent hosts should suddenly get
it into their minds to ping every host on my network. Does anybody have
any ideas or explanations ?

Best regards,

-- craig

Craig Faasen                            Email: craig.faasen@diasemi.com
System and Network Administrator        Tel  : +49 (0)7021 9414-40
Dialog Semiconductor GmbH               Fax  : +49 (0)7021 9414-10
D-73230 Germany                         whois: CF4-RIPE
          • Prev by Date: Sprint Outages today (Tue Apr 7 '98)
          • Next by Date: sl-bb5-dc
          • Prev by thread: sl-bb5-dc
          • Next by thread: Sprint Outages today (Tue Apr 7 '98)
          • Index(es):
            • Date
            • Thread