> http://netscan.org has the first (relatively) complete database of ICMP > directed broadcast networks ("smurf amplifiers"). All allocated IP > addresses ending in .0 or .255 have been pinged and measured On their page they say they are not going to release the scanner they use to test networks for the problem -- people should use their web query form instead. This is unfortunate because the query form (like their database) seems to only check .0 and .255 addresses. Also it only seems to do class 'C' addresses, meaning that you have to type in 256 addresses, one at a time, to do a class 'B'. To save people this effort, I thought I'd mention that for the last 9 months nmap has had the capability to locate smurf addresses on your network. It allows you to specify which addresses to ping and it does the scan in parallel using the ICMP ping ID and sequence number to demultiplex the responses. As a quick example, lets say you run the class 'B' 209.12 (I picked this as a "random" occupied net -- use your own numbers). You want to include 6-bit subnets, so you want to check addresses ending in 0,63,64,127,128,191,192, or 255. The command you would use is: nmap -n -sP -PI -o smurf.log '209.12.*.0,63,64,127,128,191,192,255' >From my machine it took 3 minutes to find 392 smurf addresses. Notice that 209.12.147.127, 209.12.17.63, 209.12.228.191 all have at least 20X amplification, and these addresses would not be discoverd by checking only .0 and .255 addresses. Some admins have told me they run nmap every day or week from cron to warn them of new machines popping up on their network, new ports opening up, new smurf addresses, boxes that change their operating systems, etc. Nmap can be obtained from http://www.insecure.org/nmap/ . Cheers, Fyodor -- Fyodor 'finger pgpat_private | pgp -fka' "Girls are different from hacking. You can't just brute force them if all else fails." --SKiMo, quoted in _Underground_ (good book)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:53 PDT