RE: Smurfs and fraggles

[John McDonald <Johnm () Networkguys com>]

Sure do!!

DESCRIPTION:

The "smurf" attack, named after its exploit program, is one of the most
recent in the category of network-level attacks against hosts. A
perpetrator sends a large
amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it
having a spoofed source address of a victim. If the routing device
delivering traffic to those
broadcast addresses performs the IP broadcast to layer 2 broadcast
function noted below, most hosts on that IP network will take the ICMP
echo request and
reply to it with an echo reply each, multiplying the traffic by the
number of hosts responding. On a multi-access broadcast network, there
could potentially be
hundreds of machines to reply to each packet.

The "smurf" attack's cousin is called "fraggle", which uses UDP echo
packets in the same fashion as the ICMP echo packets; it was a simple
re-write of "smurf". 

Currently, the providers/machines most commonly hit are IRC servers and
their providers. 

There are two parties who are hurt by this attack... the intermediary
(broadcast) devices--let's call them "amplifiers", and the spoofed
address target, or the "victim".
The victim is the target of a large amount of traffic that the
amplifiers generate. 

Let's look at the scenario to paint a picture of the dangerous nature of
this attack. Assume a co-location switched network with 100 hosts, and
that the attacker has
a T1. The attacker sends, say, a 768kb/s stream of ICMP echo (ping)
packets, with a spoofed source address of the victim, to the broadcast
address of the
"bounce site". These ping packets hit the bounce site's broadcast
network of 100 hosts; each of them takes the packet and responds to it,
creating 100 ping replies
out-bound. If you multiply the bandwidth, you'll see that 76.8 Mbps is
used outbound from the "bounce site" after the traffic is multiplied.
This is then sent to the
victim (the spoofed source of the originating packets). 


HOW TO KEEP YOUR SITE FROM BEING THE SOURCE PERPETRATORS USE TO ATTACK
VICTIMS: 

The perpetrators of these attacks rely on the ability to source spoofed
packets to the "amplifiers" in order to generate the traffic which
causes the denial of service. 

In order to stop this, all networks should perform filtering either at
the edge of the network where customers connect (access layer) or at the
edge of the network
with connections to the upstream providers, in order to defeat the
possibility of source-address-spoofed packets from entering from
downstream networks, or
leaving for upstream networks. 

Paul Ferguson of cisco Systems and Daniel Senie of BlazeNet have written
an RFC pertaining to this topic. See: 

ftp://ftp.isi.edu/in-notes/rfc2267.txt

for more information and examples on this subject.

Additionally, router vendors have added or are currently adding options
to turn off the ability to spoof IP source addresses by checking the
source address of a
packet against the routing table to ensure the return path of the packet
is through the interface it was received on. 

Cisco has added this feature to the current 11.1CC branch, used by many
NSP's, in an interface command '[no] ip verify unicast reverse-path'. 

See the "other vendors" section for 3Com information regarding this
feature.

John D. McDonald 

Phone: 510.713.8880 ext. 306 
Fax:      510.713.3456 
E-mail: JohnM () NetworkGuys com
Web:    www.NetworkGuys.com

Secure Enterprise Connectivity
Managed Security        Managed Firewall
Anti-Virus-Vandal       Firewalls
Security Audits VPN
Digital Certificates    Security Systems
24x7 Network Monitoring/Hacker intrusion


                -----Original Message-----
                From:   dcostello () cmol com [mailto:dcostello () cmol com]
                Sent:   Monday, February 08, 1999 11:18 AM
                To:     Firewall-wizards () nfr net
                Subject:        Smurfs and fraggles


                Does anyone have information on this DOS attack and how
to guard against it?