[unisog] Another suggestion

James Riden j.riden at massey.ac.nz
Fri Nov 19 20:05:00 GMT 2004

mmunaret at studenti.math.unipd.it writes:

> Thanks again for your contribution. I made a program that runs through the 
> data and now I have all the data I need except the last one..
> for instance in that line of data:
> 0,icmp,ecr_i,SF,1032,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255
> ,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf.
> --------------------
> duration: 0 sec
> protocol: icmp
> service: echo reply
> src bytes: 1032
> dest bytes:0
> ...
> --------------------
> in the KDD CUP they wrote all the data from the sniffing and then put a class 
> of attack at the end of each one, like shown above! Why they wrote a "smurf" 
> attack here?
> How can I get these information for the other classes.
> best regards - Matt

I can understand this - smurf attacks haven't been a major problem for
a while now as far as I've heard.


Basically you send a ping to the network broadcast address, say in 10/8, with a forged source address. Every live
machine in 10/8 then tries to send an echo reply to the forged source
address which can easily swamp it with traffic.

The echo service (port 7/udp) has been used for these attacks as well,
since it's UDP-based and allows forging of the source address.

(I actually wrote an assignment on this data-set a couple of years
back - I seem to remember it was quite an interesting problem.)

James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the unisog mailing list