[unisog] The old smurf attack and router filters

Joshua Wright Joshua.Wright at jwu.edu
Tue Dec 4 02:18:55 GMT 2001


It is not enough to simply block ICMP, UDP would have to be blocked to
prevent Fraggle attacks as well.  TCP could be used to send a bunch of
ACK/FIN's in the same mechanism as Smurf and Fraggle - but would require a
lot more amplification networks to participate in a successful DoS attack
than a large, crafted UDP or ICMP packet.

"no ip directed-broadcast" will prevent the router from forwarding packets
to multiple recipients when addressed to a broadcast address of that
interface (whether .255 or .127, .63, etc).  Maybe you can provide some
additional information on why this was not working for you?

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wright at jwu.edu 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


-----Original Message-----
From: Gene Rackow [mailto:rackow at mcs.anl.gov]
Sent: Monday, December 03, 2001 6:17 PM
To: John K Lerchey
Cc: DelVecchio, Anthony R.; 'unisog at sans.org'; rackow at mcs.anl.gov
Subject: Re: [unisog] The old smurf attack and router filters 


The fact that the address the person was given is not a broadcast address
needs to be taken into account.  The ISP is not doing anything wrong, and
the fact that they are using ALL of the addresses they can is just good 
business practice on their part.  

Granted the user could try to get another address, but if the ISP is doing
dynamic allocations, chances are he's going to get another address in your
forbidden range at some point in the future, or someone else will.

Yu might want to consider changing your filters to only deny ICMP traffic
to the 0 and 255 addresses, and therefore remain smurf free, yet allow
people with those addresses to get to your web, mail, and other services.

If you are preventing the IP directed broadcasts from entering your net,
then you should not be storming some other site, unless you have much
bigger problems anyway like someone on your site being the cause.  This user
is only one of many people that may be getting hit by these restrictions.
You don't really know how many there may be since you prevent them from
contacting you via the net the failures wont' appear in any of your logs.


-_Gene

John K Lerchey made the following keystrokes:
 >Tony,
 >
 >I think the "good solution" here is to have the user request a non-zero IP
 >from their provider.  Since the broadcast addresses are abused so
 >frequently, I think that the ISP is being either stupid or careless by
 >assigning one to a user.
 >
 >I would not lift the ban... it's worked well for you for 2+ years.  It's
 >proven itself. :)
 >
 >
 >John K. Lerchey
 >Computer and Network Security Coordinator
 >Computing Services
 >Carnegie Mellon University
 >
 >
 >On Mon, 3 Dec 2001, DelVecchio, Anthony R. wrote:
 >
 >> Hi I'm looking for some thoughts from you guys.
 >>
 >> Over the years we had problems w/our Unix boxes getting compromised and
 >> being used in the old smurf attack (a DoS that sends ICMP packets to a
 >> target networks network address and floods both connections).  When I
was
 >> placed in this position being a good little security admin one of the
first
 >> things I did was take a look at our router configs and added a NO IP
 >> DIRECTED BROADCASTS which I believe is standard on latest router
configs.
 >>
 >> The problem was that smurfs were still working.  I eventually discoverd
that
 >> this was because the router was looking at the netwok address of our
class B
 >> and not the subnets we had broken it into. So I added some access lists
 >> blocking .0's and 255's going both ways (to be good net neighbors) and
all
 >> was well with the universe. I have not seen this attack in about 2
years.
 >>
 >> Recently we had a user who's broadband provider assigned him a .0
address
 >> and of course none of his packets were making it back to him.  He's
having
 >> difficulty getting the IP to release and get another one.
 >>
 >> My boss is claiming that other Universities don't do this and I'm
wondering
 >> how true it is and if I have to drop the filter what a good solution may
be.
 >>
 >> Thanks for your help,
 >>
 >> -----------------------------------------------------
 >> Tony DelVecchio
 >> Network Security Manager
 >> University of St Thomas
 >> St Paul, MN USA
 >> 651.962.6246
 >> -----------------------------------------------------
 >> "Power corrupts.  Absolute power is kind of neat."
 >> John Lehman - Former Secretary of the Navy
 >>
 >>
 >



More information about the unisog mailing list