[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DCS :Smurf Attacks on UC Networks. (PING Packets now denied)

To: Network Programming Group <npg@mothra.nts.uci.edu>, ECS Operations -- Brian Buckler <bbuckler@uci.edu>, Dawn Bergan <dbergan@uci.edu>, Jon Iliescu <jiliescu@uci.edu>, lockhart@uci.edu, mjsimon@uci.edu, mscott@uci.edu, Richard Van Buskirk <rvanbusk@uci.edu>, John Schaefer <schaefer@uci.edu>, tlstrand@uci.edu, Tyler Turley <tturley@uci.edu>, John Dalenta <wjdalent@uci.edu>
Subject: DCS :Smurf Attacks on UC Networks. (PING Packets now denied)
From: "Michael Scott" <MSCOTT@uci.edu>
Date: Sun, 21 Jun 1998 06:35:23 -0700 (PDT)
Cc: dcs@oac.uci.edu, support@ics.uci.edu, oac_security_team@hydra.acs.uci.edu, noc@ucop.net, Don McLaughlin <dmclaugh@uci.edu>, Dave Tomcheck <tomcheck@uci.edu>
Reply-to: Michael Scott <mscott@hydra.acs.uci.edu>

Hello,

On Saturday Evening, UCOP reported that UCSB and UCD were the victims of a
Smurf attack.

Folks in the UCNet NOC placed a filter in the UCNet border routers to
block all ICMP traffic from getting through to UC Campuses via the two
Sprint connections (UCB and UCI). Thus, your ping tests will fail, but
connectivity to destinations outside of UCNet will work. Information is
provided below.

Interface configuration on IGTY.UCOP.EDU (7513 Border router at UCI):

interface Hssi9/0
 description T3 UCNet to Sprint (Sprint PL# 234748; NetAdd 44991116)
 ip address 144.228.170.6 255.255.255.252
 ip access-group 125 in
 no ip route-cache optimum
 ip route-cache flow
 no ip mroute-cache
!

access-list 125 deny   icmp any host 128.111.96.28 log-input
access-list 125 permit ip any any


csi>trace www.mit.edu
Translating "www.mit.edu"...domain server (128.200.1.201) [OK]
Translating "www.mit.edu"...domain server (128.200.1.201) [OK]
 
Type escape sequence to abort.
Tracing the route to DANDELION-PATCH.MIT.EDU (18.181.0.31)
 
  1 dimrill.gw.nts.uci.edu (128.200.245.20) 0 msec 0 msec 4 msec
  2 igty2.ucop.edu (128.200.202.2) 4 msec 4 msec 0 msec
  3 sl-gw8-ana-10-0-T3.sprintlink.net (144.228.170.5) 4 msec 4 msec 4 msec
  4 sl-bb22-ana-2-3.sprintlink.net (144.232.1.45) 4 msec 4 msec 4 msec
  5 sl-bb11-fw-6-0.sprintlink.net (144.232.8.173) 24 msec 28 msec 24 msec
  6 sl-bb1-fw-8-0-0.sprintlink.net (144.232.1.158) 28 msec 24 msec 28 msec
  7 144.228.180.2 32 msec 28 msec 28 msec
  8 atlanta1-br1.bbnplanet.net (4.0.3.237) 52 msec 52 msec 52 msec
  9 vienna1-br2.bbnplanet.net (4.0.3.154) 80 msec 80 msec 76 msec
 10 vienna1-nbr3.bbnplanet.net (4.0.3.150) 76 msec 76 msec 80 msec
 11 vienna1-nbr2.bbnplanet.net (4.0.5.45) 76 msec 76 msec 76 msec
 12 cambridge1-nbr1.bbnplanet.net (4.0.5.42) 80 msec 80 msec 80 msec            
 13 cambridge1-br1.bbnplanet.net (4.0.1.22) 80 msec 80 msec 84 msec
 14 cambridge2-br2.bbnplanet.net (4.0.1.202) 80 msec 80 msec 80 msec
 15 ihtfp.mit.edu (192.233.33.3) 84 msec 84 msec 84 msec
 16 W20-RTR-FDDI.MIT.EDU (18.168.0.8) 88 msec 84 msec 84 msec
 17 DANDELION-PATCH.MIT.EDU (18.181.0.31) 88 msec *  84 msec

csi>
csi>ping mit.edu
Translating "mit.edu"...domain server (128.200.1.201) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.72.0.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
csi>

Mike

Prev by Date: SunOS :statd patch
Next by Date: SunOS :Security Bulletin #00172
Previous by thread: SunOS :statd patch
Next by thread: SunOS :Security Bulletin #00172
Index(es):
- Date
- Thread