[unisog] The old smurf attack and router filters

Peter Van Epp vanepp at sfu.ca
Tue Dec 4 00:48:47 GMT 2001

> On Mon, Dec 03, 2001 at 03:47:39PM -0600, DelVecchio, Anthony R. wrote:
> > things I did was take a look at our router configs and added a NO IP
> > DIRECTED BROADCASTS which I believe is standard on latest router configs. 
> The net thanks you.  :-)
> > The problem was that smurfs were still working.  I eventually discoverd that
> > this was because the router was looking at the netwok address of our class B
> > and not the subnets we had broken it into. So I added some access lists
> > blocking .0's and 255's going both ways (to be good net neighbors) and all
> > was well with the universe. I have not seen this attack in about 2 years.
> Can you explain what you discovered?  Were packets coming in from the
> net to your subnets and being amplified to all hosts?  The 'no ip directed-
> broadcast' command should definitely stop them before they hit your LANs.

	When last I checked (several years ago) the no directed broadcast (at
least in Cisco and Cabletron routers) blocked 255 addresses but not the 0 
(network) address. A specific (inbound only as has been pointed out) access 
list was needed to stop 0 based smurfs. So if you are depending on only the 
no directed broadcasts, I'd suggest trying a ping to a .0 address from outside
your border and see how many responses you are getting (the smurfers used to 
scan for .0 addresses as well as 255 too.)

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list