Firewall Wizards mailing list archives
Re: Recent Attacks
From: Bennett Todd <bet () rahul net>
Date: Thu, 17 Feb 2000 11:10:18 -0500
2000-02-17-10:14:19 Troy Henley:
Could you describe what "smurf" is?
Smurf attacks, named after the first released program that implemented them, use directed ICMP broadcast packets with forged source addresses. Say you're an attacker. Say you are on some random net, with some arbitrary address; your net and address don't show up in the packets, so I won't illustrate them. Say there's a big, big network whose network number is 172.20.0.0, a Class B network, directly connected to the internet. 65,534 possible host addresses in that net. The net isn't completely filled with hosts, of course, but say it's using c. 1/4 of the addresses; that's about 16,000 hosts. Now suppose you send an ICMP echo packet, the packet type normally used by the "ping" command, which makes the remote host echo the packet back. Make it a fairly big packet, with perhaps 1KB of data. Send it to the broadcast address for that network, 172.20.255.255, and forge the source address to be your intended victim's source address. If nobody is doing filtering for the various illegalities in this packet, then what'll happen is that all 16,000 will see the packet, and they'll all try and echo it back to the (forged) source address; voila, you just sent 1KB out, and the hosts on this net responded by blasting 16MB at your victim. So keep it up all day long. An unprotected, heavily populated Class B is probably more than you'll actually find to use for this, but if you can find a handful of reasonably big nets, and use them all at once, a dialin user with a simple modem connection can generate a bad enough flood to take down a fairly big site. I believe there's a blacklist already available somewhere that tries to keep track of known smurf amplifier networks, networks whose broken configuration allows them to be used this way. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: Recent Attacks, (continued)
- Re: Recent Attacks Iván Arce (Feb 17)
- Re: Recent Attacks Paul D. Robertson (Feb 19)
- Re: Recent Attacks Iván Arce (Feb 17)
- Re: Recent Attacks Matthew_S_Cramer (Feb 15)
- Re: Recent Attacks Philip J. Koenig (Feb 17)
- Re: Recent Attacks Don Kendrick (Feb 16)
- Re: Recent Attacks Iván Arce (Feb 17)
- Re: Recent Attacks sedwards (Feb 19)
- RE: Recent Attacks Moore, James (Feb 16)
- RE: Recent Attacks John Ross (Feb 17)
- RE: Recent Attacks Troy Henley (Feb 17)
- Re: Recent Attacks Bennett Todd (Feb 17)
- Re: Recent Attacks apotter (Feb 17)
- Re: Recent Attacks blyonpop (Feb 17)
- Re: Recent Attacks Chris Cappuccio (Feb 19)
- RE: Recent Attacks Staggs, Michael (Feb 17)
- Re: Recent Attacks Barney Wolff (Feb 17)
- Re: Recent Attacks Don Kendrick (Feb 19)
- RE: Recent Attacks Staggs, Michael (Feb 19)
- Re: Recent Attacks Steven M. Bellovin (Feb 19)
- Re: Recent Attacks Transistor Sister (Feb 19)
- Recent Attacks andrew . c . howard (Feb 19)
(Thread continues...)