Re: Recent Attacks

[Bennett Todd <bet () rahul net>]

2000-02-17-10:14:19 Troy Henley:
> Could you describe what "smurf" is?

Smurf attacks, named after the first released program that
implemented them, use directed ICMP broadcast packets with forged
source addresses.

Say you're an attacker. Say you are on some random net, with some
arbitrary address; your net and address don't show up in the
packets, so I won't illustrate them. Say there's a big, big network
whose network number is 172.20.0.0, a Class B network, directly
connected to the internet. 65,534 possible host addresses in that
net. The net isn't completely filled with hosts, of course, but say
it's using c. 1/4 of the addresses; that's about 16,000 hosts. Now
suppose you send an ICMP echo packet, the packet type normally used
by the "ping" command, which makes the remote host echo the packet
back. Make it a fairly big packet, with perhaps 1KB of data. Send it
to the broadcast address for that network, 172.20.255.255, and forge
the source address to be your intended victim's source address.

If nobody is doing filtering for the various illegalities in this
packet, then what'll happen is that all 16,000 will see the packet,
and they'll all try and echo it back to the (forged) source address;
voila, you just sent 1KB out, and the hosts on this net responded by
blasting 16MB at your victim. So keep it up all day long.

An unprotected, heavily populated Class B is probably more than
you'll actually find to use for this, but if you can find a handful
of reasonably big nets, and use them all at once, a dialin user with
a simple modem connection can generate a bad enough flood to take
down a fairly big site.

I believe there's a blacklist already available somewhere that tries
to keep track of known smurf amplifier networks, networks whose
broken configuration allows them to be used this way.

-Bennett

Attachment: _bin
Description: