[unisog] Another suggestion

James Riden j.riden at massey.ac.nz
Fri Nov 19 20:05:00 GMT 2004


mmunaret at studenti.math.unipd.it writes:

> Thanks again for your contribution. I made a program that runs through the 
> data and now I have all the data I need except the last one..
> for instance in that line of data:
>
> 0,icmp,ecr_i,SF,1032,0,0,0,0,511,511,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,255
> ,1.00,0.00,1.00,0.00,0.00,0.00,0.00,0.00,smurf.
> --------------------
> duration: 0 sec
> protocol: icmp
> service: echo reply
> src bytes: 1032
> dest bytes:0
> ...
> --------------------
>
> in the KDD CUP they wrote all the data from the sniffing and then put a class 
> of attack at the end of each one, like shown above! Why they wrote a "smurf" 
> attack here?
> How can I get these information for the other classes.
> best regards - Matt

I can understand this - smurf attacks haven't been a major problem for
a while now as far as I've heard.

http://www.cert.org/advisories/CA-1998-01.html

Basically you send a ping to the network broadcast address, say
10.255.255.255 in 10/8, with a forged source address. Every live
machine in 10/8 then tries to send an echo reply to the forged source
address which can easily swamp it with traffic.

The echo service (port 7/udp) has been used for these attacks as well,
since it's UDP-based and allows forging of the source address.

(I actually wrote an assignment on this data-set a couple of years
back - I seem to remember it was quite an interesting problem.)

cheers,
 Jamie
-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the unisog mailing list