Firewall Wizards mailing list archives

Re: Re[2]: Smurfs and fraggles

From: Dani Arbel <darbel () techunix technion ac il>
Date: Thu, 11 Feb 1999 08:18:38 +0200 (IST)

Hi!
Well , you should do that. This will not defend you from being the
attacked site.
In smurf attack, host a from site A sends an icmp echo req. to the
broadcast address of site B with a spoofed ip source, the ip of the
victim.
Thus all nodes at B flood the victim with echo replies to an echo request
he never sent.
The point is that this attack would probebly degrade your WAN link, and
not choke the victim host.
Blocking the broadcast address is done easily on a cisco router (no direct
broadcast). Blocking the attack is problematic, you need to use a traffic
shaper machine on the remote side of your WAN link and restric the
bandwidth of icmp (and maybe ip ?) echo .
Dani

On Wed, 10 Feb 1999 dcostello () cmol com wrote:


If I understand this correctly would a simple solution be to filter all
incomming broadcasts?  Would it just be a matter of setting up a filter on the
router to drop all incomming packets with a destination address of
xxx.xxx.xxx.255 where xxx.xxx.xxx is my network address?  Is there a reason I
wouldn't want to do this?  

____________________Reply Separator____________________
Subject:    Re: Smurfs and fraggles 
Author: Joe Kelly <jkelly () eagle1 osaccess net> 
Date:       2/9/99 3:06 PM

Dave,

What kind of routers are you running?  If you have ciscos, you can use a
function called CAR to rate limit inbound ICMP.  Fraggle attacks are a bit
trickier as they tend to be aimed at random UDP ports, and don't usually
consume as much bandwidth.  With fraggles, it's the packets per second
that kill you.  Back in my IDT days, I had to fend off many of these
attacks.  Check out the Nanog archives http://www.nanog.org.  Also check
out http://www.merit.edu/ipma/docs/isp.html#abuse.  This is off nanog's
page, and provides many useful links.  Probably one of the easiest ways to
prevent these attacks is to outsource your IRC server.  Good luck!  Let me
know if you have any other questions.

Joe Kelly
Ex-network Engineer IDT Corp.
Speaking for myself

On Mon, 8 Feb 1999 dcostello () cmol com wrote:


Does anyone have information on this DOS attack and how to guard against it?

Current thread:

Smurfs and fraggles dcostello (Feb 09)
- <Possible follow-ups>
- Re: Smurfs and fraggles Rick Murphy (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 10)
  - Re: Smurfs and fraggles Barrett G. Lyon (Feb 10)
  - Re: Smurfs and fraggles Arnd Vehling (Feb 10)
    - Re: Smurfs and fraggles Ted Doty (Feb 11)
  - Re: Re[2]: Smurfs and fraggles Dani Arbel (Feb 11)
- Re: Smurfs and fraggles Robert Graham (Feb 10)
- RE: Smurfs and fraggles John McDonald (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 11)
  - Re: Smurfs and fraggles Bennett Todd (Feb 11)
    - Re: Smurfs and fraggles Laurent LEVIER (Feb 12)
    - Re: Smurfs and fraggles Bennett Todd (Feb 17)
- Re: Re[2]: Smurfs and fraggles Ryan Russell (Feb 11)