Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: `smurf' multi-broadcast icmp attack

From: jlewis () INORGANIC5 FDT NET (Jon Lewis)
Date: Thu, 16 Oct 1997 11:10:06 -0400

On Thu, 16 Oct 1997, Therapy? wrote:


My host has been abused for flooding with the "smurf-exploit", posted to
bugtraq, so I patched my kernel to do not reply to ICMP_ECHO addressed to
an IP address which doesnt belong to the host (broadcasted pkt).


Why hack and slash at your kernel when you can accomplish the same goal
with ipfwadm?

ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8

replace 123.123.123.0 and 123.123.123.255 with the actual network and
broadcast addresses for your lan.


I recommand to install icmplog included in the iplogger packet, available
at
ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm
to find out if you're abused by smurf to flood..


If you're being used as a smurf amplifier...you'll know.

------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
Previous By Date Next
Previous By Thread Next

Current thread: