Firewall Wizards mailing list archives
RE: Smurfs and fraggles
From: John McDonald <Johnm () Networkguys com>
Date: Tue, 9 Feb 1999 13:02:53 -0800
Sure do!! DESCRIPTION: The "smurf" attack, named after its exploit program, is one of the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function noted below, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet. The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". Currently, the providers/machines most commonly hit are IRC servers and their providers. There are two parties who are hurt by this attack... the intermediary (broadcast) devices--let's call them "amplifiers", and the spoofed address target, or the "victim". The victim is the target of a large amount of traffic that the amplifiers generate. Let's look at the scenario to paint a picture of the dangerous nature of this attack. Assume a co-location switched network with 100 hosts, and that the attacker has a T1. The attacker sends, say, a 768kb/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies out-bound. If you multiply the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets). HOW TO KEEP YOUR SITE FROM BEING THE SOURCE PERPETRATORS USE TO ATTACK VICTIMS: The perpetrators of these attacks rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service. In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source-address-spoofed packets from entering from downstream networks, or leaving for upstream networks. Paul Ferguson of cisco Systems and Daniel Senie of BlazeNet have written an RFC pertaining to this topic. See: ftp://ftp.isi.edu/in-notes/rfc2267.txt for more information and examples on this subject. Additionally, router vendors have added or are currently adding options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on. Cisco has added this feature to the current 11.1CC branch, used by many NSP's, in an interface command '[no] ip verify unicast reverse-path'. See the "other vendors" section for 3Com information regarding this feature. John D. McDonald Phone: 510.713.8880 ext. 306 Fax: 510.713.3456 E-mail: JohnM () NetworkGuys com Web: www.NetworkGuys.com Secure Enterprise Connectivity Managed Security Managed Firewall Anti-Virus-Vandal Firewalls Security Audits VPN Digital Certificates Security Systems 24x7 Network Monitoring/Hacker intrusion -----Original Message----- From: dcostello () cmol com [mailto:dcostello () cmol com] Sent: Monday, February 08, 1999 11:18 AM To: Firewall-wizards () nfr net Subject: Smurfs and fraggles Does anyone have information on this DOS attack and how to guard against it?
Current thread:
- Smurfs and fraggles dcostello (Feb 09)
- <Possible follow-ups>
- Re: Smurfs and fraggles Rick Murphy (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 10)
- Re: Smurfs and fraggles Barrett G. Lyon (Feb 10)
- Re: Smurfs and fraggles Arnd Vehling (Feb 10)
- Re: Smurfs and fraggles Ted Doty (Feb 11)
- Re: Re[2]: Smurfs and fraggles Dani Arbel (Feb 11)
- Re: Smurfs and fraggles Robert Graham (Feb 10)
- RE: Smurfs and fraggles John McDonald (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 11)
- Re: Smurfs and fraggles Bennett Todd (Feb 11)
- Re: Smurfs and fraggles Laurent LEVIER (Feb 12)
- Re: Smurfs and fraggles Bennett Todd (Feb 17)
- Re: Smurfs and fraggles Bennett Todd (Feb 11)
- Re: Re[2]: Smurfs and fraggles Ryan Russell (Feb 11)