Re: smurf (stupid question)

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 09:38 AM 18-09-2000 -0400, Leon Rosenstein wrote:
> I was wondering with smurf amplification attacks what would
> happen if you spoofed your IP as the broadcast address of another
> smurfable network. Would this cause an ICMP storm / war??
> Would the two networks continousally just ping each other???     Anyway it
> was something I was wondering about.       Please feel free to respond in
> public or private.

I don't think it will work for ping, because with ping you send an ICMP
echo, and the target(s) will send ICMP _echo_reply_ packets.

But it could work with udp echo, or any other service which uses similar
methods to send and answer (symmetrical).

<Scenario>
So say you have two networks A and B, and all the hosts in A and B reply to
broadcast addresses.

You send such a packet to A's broadcast address, spoofing B's broadcast.
The hosts in A will then send packets to B's broadcast address. But note
that these packets have the source addresses of the hosts in A.

Each machine in B will then send packets to every machine in A. And vice
versa.

And if you send one more packet, the bandwidth usage doubles, and so on
until packets start getting dropped due to congestion.
</scenario>

So yes, both networks could possibly keep sending stuff to each other, and
bad things could happen. And no, it's not a stupid question.

One should thus make sure that stuff destined for broadcast (and special)
networks are dropped by the border routers/firewalls.

And also try to make sure that machines don't run services which could be
abused in that way (not always possible).

Have fun, (with your own network ;) )

Link.