Smurf Attack

[GreGorGy]

This is being reported when my router makes a PPPoE iBurst connection:

2010-07-27  20:48:28 **Smurf** 192.168.2.255->> 192.168.2.1, Type:3, Code:3 (from PPPoE1 Outbound)
2010-07-27  20:48:23 **UDP Flood to Host** 192.168.1.7, 56451->> 8.8.8.8, 53 (from PPPoE1 Outbound)

hundreds of 'em. Is it iBurst or someone trying to crack me wireless?

 

[bleh69]

omfg. your getting smurfed. lol.

 

[ginggs]

Maybe it's something on your network?

What do you have in the 192.168.2.x and 192.168.1.x ranges?

The second line looks like on of your computers at 192.168.1.7 hitting Google's DNS server with requests over UDP.

 

[MartyMarts]

**Smurf** :erm:

 

[dinkd]

you might find this interesting...

http://en.wikipedia.org/wiki/Smurf_attack

and this..

http://www.xnews.ro/QWSmurf_Attack.htm

 

[diegoa]

Maybe Smurfette likes you?

 

[GreGorGy]

Maybe it's something on your network?

What do you have in the 192.168.2.x and 192.168.1.x ranges?

The second line looks like on of your computers at 192.168.1.7 hitting Google's DNS server with requests over UDP.

That's just it: .2.x is not used or deployed or even alive anywhere on my network, which is:

.1.1 MacMini PP
.1.2 SMC Router => iBurst
.1.5 Wife's Win7 Netbook
.1.7 MacBook Pro

(.3,.4,.6 are all off and packed away cos we moving)

The .7 hitting Google's DNS could well be a snow leopard thing where Bonjour needs constant affirmation from DNS.

If I unplug the iBurst from the WAN port on my router, the smurfing stops instantly.

 

[ginggs]

That's just it: .2.x is not used or deployed or even alive anywhere on my network

Are you sure it's not being used by your router? What range is your iBurst modem on?

The .7 hitting Google's DNS could well be a snow leopard thing where Bonjour needs constant affirmation from DNS.

Is your OS a little insecure?

 

[dinkd]

something could be spoofing that ip address?

 

[ginggs]

something could be spoofing that ip address?

If I understood the explanations linked to in your posts, it is the source address that is spoofed so that all the PCs on your local subnet (because the destination is a broadcast address, in this case 192.168.2.255) send their echoes to some innocent third party in a DDOS attempt.

The fact that GreGorGy's router is logging this probably means it is not forwarding the requests, so his network is safe. It would be interesting to find the origin of these packets though.

 

[eltherza]

I've found malicious attacks on the iburst network comes from a certain ip address, I've blocked it on my firewall (hard lesson learnt when I reinstalled XP and connected first before service packing or firewalling....), I'll check the ip range when I get home and post it here. I think they have stopped recently (or it might just be that now I'm windows 7).