Vulnerability Development mailing list archives
Re: smurf (stupid question)
From: alex <alexander.tibbles () PMB OX AC UK>
Date: Tue, 19 Sep 2000 19:43:56 +0100
see Stevens Unix Network Programming (Prentice Hall, 1998), pages 347: "What happens if we create a UDP socket, bind port 7 to the socket (the standard echo [port]...), and send a UDP datagram to a chargen server?" and p945-6: "This is a well-known denial of service attack ([CERT 1996a]). The first datagram from port 7 causes the chargen server to send a datagram back to port 7. This is echoed and sends another datagream to the chargen server. This loop continues. One solution, implemented in BSD/OS, is to refuse datagrams to any of the internal servers if the source port of the incoming datagram belongs to any of the internal servers. Another soltution is to disable these internal services, either through inetd on each host, or at an organization's router to the Internet." [CERT 1996a] is "UDP Port Denial-of-Service Attack" Advisory CA- 96.01, CERT. ftp://info.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial hope that helps: basically, its been done, and chargen and echo should be firewalled. alex On 18 Sep 00, at 18:06, Michel Kaempf wrote:
On Mon, Sep 18, 2000, Leon Rosenstein wrote:I was wondering with smurf amplification attacks what would happen if you spoofed your IP as the broadcast address of another smurfable network.I tried this a long time ago on a LAN. Although it was not a spoofed IP address but a spoofed MAC address, the results should be the same, assuming both networks are opened to broadcasts: * the attacker sends a spoofed echo request from IPa, the broadcast IP address of network A, to IPb, the broadcast IP address of network B; * every machine on network B, say n machines, receives the echo request; * each of these n machines sends an echo reply to IPa; * every machine on network A, say m machines, receives an echo reply from each of the n machines on network B, and that's all, there's nothing else to do after having received an echo reply, packets are not sent continuously. But what if the packet sent is an UDP packet, source port 19 (chargen) and destination port 19? I would say each of the machines on network B sends a chargen packet to IPa, port 19, and then each of the machines on network A sends a chargen packet to IPb, port 19, and so on. This could lead to an UDP storm, as each of the machines on both network continuously sends packets to the machines on the other network. Perhaps it depends on the operating systems, perhaps I am wrong on this point as I never tried it with UDP chargen packets. Any comments? -- MaXX
Current thread:
- smurf (stupid question) Leon Rosenstein (Sep 18)
- Re: smurf (stupid question) Michel Kaempf (Sep 19)
- Re: smurf (stupid question) alex (Sep 19)
- Re: smurf (stupid question) Lincoln Yeoh (Sep 19)
- Re: smurf (stupid question) Jacek Lipkowski (Sep 20)
- Re: smurf (stupid question) Holger van Koll (Sep 19)
- <Possible follow-ups>
- Re: smurf (stupid question) Vitaly Osipov (Sep 19)
- Re: smurf (stupid question) Guilherme Mesquita (Sep 27)
- Re: smurf (stupid question) Michel Kaempf (Sep 19)