Home page logo
/

nanog logo nanog mailing list archives

Re: [nsp] known networks for broadcast ping attacks
From: "Jeffrey S. Curtis" <curtis () anl gov>
Date: Wed, 30 Jul 1997 14:42:35 -0500

Alex Bligh writes:
}Urm, 192.41.177.255 is the MAE-East LAN ?! Are you saying attacks are
}being mounted from here or people are attacking this LAN (not
}sure which is more worrying)

If I'm interpreting the code comments correctly, what this silly
"smurf" thing does is take a victim's IP address and generate
an ICMP_ECHO_REQUEST with the victim's IP address as the source
and an IP address from the array as the destination, and generate
lots of such packets (per each destination).  That way, the victim
supposedly receives lots of ICMP_ECHO_REPLY packets - moreso than
from, say, the 28.8kbps dialup line from which the attack is taking
place.  So basically this is just a simple DoS attack on bandwidth,
supposedly multiplied by the fact that it uses broadcast addresses
as the "proxy" attacker rather than unicast addresses.

However, I don't know about everyone else, but my routers respond to
such attempted directed-broadcast pings from their own unicast
address, so it really isn't multiplying anything.

And furthermore, if more people implemented source address filtering,
it would be less of a problem - if it really is a problem at all.

(And to answer the proverbial "how do I configure my router for that"
in advance, the answer is that, at least on my boxes, the not-allowing-
broadcast-pings-through-as-broadcasts-onto-the-target-media thing is on
by default.  Source address filtering, however, is not.)

Jeff
-- 
Jeffrey S. Curtis                      | Internetwork Manager
Argonne National Laboratory            | Email: curtis () anl gov
9700 South Cass Avenue, ECT-221        | Voice: 630/252-1789
Argonne, IL 60439                      | Fax:   630/252-9689


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault