Firewall Wizards mailing list archives

Re[2]: Smurfs and fraggles

From: dcostello () cmol com
Date: Thu, 11 Feb 99 11:37:53 -0500


I realize that my filter won't prevent me from getting attacked but it will at
least prevent me from being an amplifier.  Based on my understanding I don't see
as there is a way to prevent from being attacked unless I can somehow monitor
the rate of incoming ICMP packets and if there's some sudden spike from a
certain IP address or addresses automatically filter them out.  That seems like
a fair amount of intelligence and programming to put into a router or firewall.

____________________Reply Separator____________________
Subject:    Re: Smurfs and fraggles 
Author: Ted Doty <ted () iss net> 
Date:       2/11/99 11:09 AM

At 08:54 PM 2/10/99 +0100, Arnd Vehling wrote:

Hello,

If I understand this correctly would a simple solution be to filter all
incomming broadcasts?  Would it just be a matter of setting up a filter

on the

router to drop all incomming packets with a destination address of
xxx.xxx.xxx.255 where xxx.xxx.xxx is my network address?


If you are using /24 network (formerly know as Class-C) this is right.


This is the correct method to protect the rest of the 'net (i.e. being a
good net.citizen).  Unfortunately, it won't help YOUR network.

If I want to smurf you, I find a target that accepts incoming broadcasts
(check the net for websites listing these places - the Bugtraq archives
lists at least one I can remember).  Then I build a nice, big (say, 1000
byte) echo request using your address as the source and send it to the
target.  You get extra credit if you find a site that has a T3 feed.

At this point, 10000 hosts from the target send you a 1000 byte reply.
There are no boradcast addresses in any of these packets, so your filter
won't stop anything.  Sorry.

Your filter is The Right Thing to do, but everyone needs to do it, and
everyone doesn't.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems              | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                           | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

Current thread:

Smurfs and fraggles dcostello (Feb 09)
- <Possible follow-ups>
- Re: Smurfs and fraggles Rick Murphy (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 10)
  - Re: Smurfs and fraggles Barrett G. Lyon (Feb 10)
  - Re: Smurfs and fraggles Arnd Vehling (Feb 10)
    - Re: Smurfs and fraggles Ted Doty (Feb 11)
  - Re: Re[2]: Smurfs and fraggles Dani Arbel (Feb 11)
- Re: Smurfs and fraggles Robert Graham (Feb 10)
- RE: Smurfs and fraggles John McDonald (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 11)
  - Re: Smurfs and fraggles Bennett Todd (Feb 11)
    - Re: Smurfs and fraggles Laurent LEVIER (Feb 12)
    - Re: Smurfs and fraggles Bennett Todd (Feb 17)
- Re: Re[2]: Smurfs and fraggles Ryan Russell (Feb 11)