Re: smurf (stupid question)

[Michel Kaempf <maxx () VIA ECP FR>]

On Mon, Sep 18, 2000, Leon Rosenstein wrote:
> I was wondering with smurf amplification attacks what would happen
> if you spoofed your IP as the broadcast address of another smurfable
> network.

I tried this a long time ago on a LAN. Although it was not a spoofed
IP address but a spoofed MAC address, the results should be the same,
assuming both networks are opened to broadcasts:

* the attacker sends a spoofed echo request from IPa, the broadcast IP
address of network A, to IPb, the broadcast IP address of network B;

* every machine on network B, say n machines, receives the echo request;

* each of these n machines sends an echo reply to IPa;

* every machine on network A, say m machines, receives an echo reply
from each of the n machines on network B, and that's all, there's
nothing else to do after having received an echo reply, packets are not
sent continuously.

But what if the packet sent is an UDP packet, source port 19 (chargen)
and destination port 19? I would say each of the machines on network B
sends a chargen packet to IPa, port 19, and then each of the machines
on network A sends a chargen packet to IPb, port 19, and so on. This
could lead to an UDP storm, as each of the machines on both network
continuously sends packets to the machines on the other network. Perhaps
it depends on the operating systems, perhaps I am wrong on this point as
I never tried it with UDP chargen packets. Any comments?

--
MaXX