Re: Smurfs and fraggles

[Ted Doty <ted () iss net>]

At 08:54 PM 2/10/99 +0100, Arnd Vehling wrote:
> Hello,
>
> > If I understand this correctly would a simple solution be to filter all
> > incomming broadcasts?  Would it just be a matter of setting up a filter
on the
> > router to drop all incomming packets with a destination address of
> > xxx.xxx.xxx.255 where xxx.xxx.xxx is my network address?  
>
> If you are using /24 network (formerly know as Class-C) this is right.

This is the correct method to protect the rest of the 'net (i.e. being a
good net.citizen).  Unfortunately, it won't help YOUR network.

If I want to smurf you, I find a target that accepts incoming broadcasts
(check the net for websites listing these places - the Bugtraq archives
lists at least one I can remember).  Then I build a nice, big (say, 1000
byte) echo request using your address as the source and send it to the
target.  You get extra credit if you find a site that has a T3 feed.

At this point, 10000 hosts from the target send you a 1000 byte reply.
There are no boradcast addresses in any of these packets, so your filter
won't stop anything.  Sorry.

Your filter is The Right Thing to do, but everyone needs to do it, and
everyone doesn't.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                       | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE