North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: smurf
On Tue, 9 Dec 1997, Adrian Chadd wrote: > > > On Fri, 5 Dec 1997, Wayne Bouchard wrote: > > [snip] > > > threaten the most disruption of internet services. With ISDN and > > DSL, users have the bandwidth necessary to generate even more > > dangerous levels of traffic. If you don't think this issue affects > > you, it does. If you're not a target, your probably being used > > as a source. > > I agree totally. > A couple of problems: > > * Filtering ALL ICMP is pretty silly, ICMP is there for more than just > pings, and some of it is important. Sure.. but it wont take a genius on the attackers side to figure out what types arent being blocked, and use those.. > * If people start doing this, someone with a smidgen of time on their > hands will write a ping flooder that uses random TCP or UDP packets > with spoofed from addresses. > Well.. the main problem with smurf is that as far as i know, it uses the reply from a broadcast. that will rule out tcp unless they send a direct flow from the attackers box to the destination/victims box. For UDP, you would have to send it to a broadcast, and also hope there is a udp service listening (ie.. a test program i wrote sent 1 udp broadcast to 198.32.136.255:7 and received a whole bunch of replies.. turn off small services on routers would be helpfull.. :)). You could also do that to any network, the point being.. its easier to disable simple udp services then to setup filters on border routers.. -mike
|