North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: smurf

  • From: Mike Hedlund
  • Date: Mon Dec 08 17:04:55 1997

On Tue, 9 Dec 1997, Adrian Chadd wrote:

> 
> 
> On Fri, 5 Dec 1997, Wayne Bouchard wrote:
> 
> [snip]
> 
> > threaten the most disruption of internet services. With ISDN and
> > DSL, users have the bandwidth necessary to generate even more
> > dangerous levels of traffic. If you don't think this issue affects
> > you, it does. If you're not a target, your probably being used
> > as a source.
> 
> I agree totally.
> A couple of problems:
> 
> * Filtering ALL ICMP is pretty silly, ICMP is there for more than just
>   pings, and some of it is important.

Sure.. but it wont take a genius on the attackers side to figure out what
types arent being blocked, and use those..

> * If people start doing this, someone with a smidgen of time on their
>   hands will write a ping flooder that uses random TCP or UDP packets
>   with spoofed from addresses.
> 

Well.. the main problem with smurf is that as far as i know, it uses the
reply from a broadcast. that will rule out tcp unless they send a direct
flow from the attackers box to the destination/victims box. For UDP,
you would have to send it to a broadcast, and also hope there is a udp
service listening (ie.. a test program i wrote sent 1 udp broadcast to
198.32.136.255:7 and received a whole bunch of replies.. turn off small
services on routers would be helpfull.. :)). You could also do that to
any network, the point being.. its easier to disable simple udp services
then to setup filters on border routers..


-mike