[unisog] The old smurf attack and router filters

Gene Rackow rackow at mcs.anl.gov
Mon Dec 3 23:17:05 GMT 2001

The fact that the address the person was given is not a broadcast address
needs to be taken into account.  The ISP is not doing anything wrong, and
the fact that they are using ALL of the addresses they can is just good 
business practice on their part.  

Granted the user could try to get another address, but if the ISP is doing
dynamic allocations, chances are he's going to get another address in your
forbidden range at some point in the future, or someone else will.

Yu might want to consider changing your filters to only deny ICMP traffic
to the 0 and 255 addresses, and therefore remain smurf free, yet allow
people with those addresses to get to your web, mail, and other services.

If you are preventing the IP directed broadcasts from entering your net,
then you should not be storming some other site, unless you have much
bigger problems anyway like someone on your site being the cause.  This user
is only one of many people that may be getting hit by these restrictions.
You don't really know how many there may be since you prevent them from
contacting you via the net the failures wont' appear in any of your logs.


John K Lerchey made the following keystrokes:
 >I think the "good solution" here is to have the user request a non-zero IP
 >from their provider.  Since the broadcast addresses are abused so
 >frequently, I think that the ISP is being either stupid or careless by
 >assigning one to a user.
 >I would not lift the ban... it's worked well for you for 2+ years.  It's
 >proven itself. :)
 >John K. Lerchey
 >Computer and Network Security Coordinator
 >Computing Services
 >Carnegie Mellon University
 >On Mon, 3 Dec 2001, DelVecchio, Anthony R. wrote:
 >> Hi I'm looking for some thoughts from you guys.
 >> Over the years we had problems w/our Unix boxes getting compromised and
 >> being used in the old smurf attack (a DoS that sends ICMP packets to a
 >> target networks network address and floods both connections).  When I was
 >> placed in this position being a good little security admin one of the first
 >> things I did was take a look at our router configs and added a NO IP
 >> DIRECTED BROADCASTS which I believe is standard on latest router configs.
 >> The problem was that smurfs were still working.  I eventually discoverd that
 >> this was because the router was looking at the netwok address of our class B
 >> and not the subnets we had broken it into. So I added some access lists
 >> blocking .0's and 255's going both ways (to be good net neighbors) and all
 >> was well with the universe. I have not seen this attack in about 2 years.
 >> Recently we had a user who's broadband provider assigned him a .0 address
 >> and of course none of his packets were making it back to him.  He's having
 >> difficulty getting the IP to release and get another one.
 >> My boss is claiming that other Universities don't do this and I'm wondering
 >> how true it is and if I have to drop the filter what a good solution may be.
 >> Thanks for your help,
 >> -----------------------------------------------------
 >> Tony DelVecchio
 >> Network Security Manager
 >> University of St Thomas
 >> St Paul, MN USA
 >> 651.962.6246
 >> -----------------------------------------------------
 >> "Power corrupts.  Absolute power is kind of neat."
 >> John Lehman - Former Secretary of the Navy

More information about the unisog mailing list