North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [nsp] UDP broadcast filters. (fwd)

  • From: Craig A. Huegen
  • Date: Mon Mar 16 14:05:24 1998

Here's some more information about the release of the UDP smurf, also
called "fraggle", which was made this weekend.  I understand a request was
made to nanog as well requesting information.

Almost the same rules as "smurf" applies.

"no ip directed-broadcast" is your friend.


---------- Forwarded message ----------
Date: Mon, 16 Mar 1998 09:35:36 -0800 (PST)
From: "Craig A. Huegen" <[email protected]>
To: Cisco-NSP <[email protected]>
Cc: Cisco at Colorado <[email protected]>
Subject: Re: [nsp] UDP broadcast filters.

On Mon, 16 Mar 1998 [email protected] wrote:

==>I've kept hearing about a UDP smurf floating around and I'd like to put up
==>a firewall to prevent it.  Can anyone give me any insight on how this is
==>done?  I don't understand enough about UDP, broadcasts or enough about
==>access-lists to create an effective one.  Can anyone give me some

I'm going to be updating my smurf pages at to contain the information about
the UDP smurf.

Basically, here's the key points:

* UDP smurf is just like the ICMP smurf, using directed-broadcast and UDP
  port 7

* A bit more dangerous if the packet is spoofed just right, because it
  can cause and endless packet loop with some stacks until the packets get

Prevention pieces:

* "no ip directed-broadcast" still prevents your network from being an

* Disable the internal troubleshooting services in machines, where
  possible.  For UNIX boxes, comment the "echo" and "chargen" services in
  inetd.conf and restart inetd:

#echo    stream  tcp     nowait  root    internal
#echo    dgram   udp     wait    root    internal
#chargen stream  tcp     nowait  root    internal
#chargen dgram   udp     wait    root    internal

* It's easier to filter UDP smurfs without breaking something.  For
  instance, filtering ICMP smurfs required that you break ping (and block
  ICMP echo-reply packets)

access-list <x> deny udp any eq echo any
access-list <x> deny udp any any eq echo

Adding these to an inbound access-list will protect the traffic from
getting past.

You should see more information on my pages in a few days.