nanog mailing list archives
Re: Filtering ICMP (Was Re: SMURF amplifier block list)
From: Richard Irving <rirving () onecall net>
Date: Fri, 24 Apr 1998 11:50:12 -0500
Ok. You know how I always ask the obvious... So, here I go again.. This is only slightly off topic.. If you have no amplifiers greater than 2x-4x, is there really a need to turn off ip directed broadcasts? And if this is true, doesn't designing your network with minimized amplifier space sort of negate all this ? Enlighten me .... Richard Pete Ashdown wrote:
Jason Lixfeld said once upon a time:Seriously.. what do you recommend? I'm totally open. I'm using deny icmp to protect myself. I'm up to an alternative.:> You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" onThere apparently is a bit of misunderstanding when it comes to how a smurf attack works. To understand a smurf attack you need to understand a standard ping request. Say we have a remote ping destination, named "target" and a originator of the ping request named "source". In the first step of a ping request, "source" sends an ICMP request of "echo" to "target": "source" --- ICMP echo ---> "target" When "target" receives the ICMP echo, it sends back an ICMP echo-reply to "source" "source" <--- ICMP echo-reply --- "target" Upon reception of the "echo-reply" "source" realizes a good ping and coughs you back the statistics on how long the whole interaction was. With a smurf attack you have a perpetrator forging the "source" address, which in this case could also be known as victim. The perp takes advantage of open directed-broadcast networks to get lots of addresses responding back to the "source" (victim) with "echo-reply". Thus the original request looks like this: perp (forged "source") --- ICMP echo ---> "target" (directed-broadcast) and the reply looks like this: "source" (victim) <==== ICMP echo-reply x "target" addresses listening to the broadcast request for ping echo You can easily see how the broadcast size of "target" and whether it is open to "directed-broadcast" is the fundamental exploit in the smurf attack. The larger the subnet, the better. However, it is also easy to see that by blocking just "echo-reply" to certain addresses (IRC servers, Quake servers, etc), you can at least minimize the effects of the attack. The sad part is, the en masse echo-replies will still travel over your pipe to get to your filter and will still consume a significant portion of your bandwidth. Note, my understanding of the function of "directed-broadcast" is limited by the fact that I've never used it in a useful function.
Current thread:
- Re: Filtering ICMP (Was Re: SMURF amplifier block list), (continued)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 20)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Mark Whitis (Apr 22)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 20)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Shields (Apr 22)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Alex P. Rudnev (Apr 21)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) D'Arcy J.M. Cain (Apr 22)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Alex P. Rudnev (Apr 21)
- Message not available
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Eric Germann (Apr 21)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Jason Lixfeld (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Pete Ashdown (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Richard Irving (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Brandon Ross (Apr 26)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Mark Whitis (Apr 26)
- Re: SMURF amplifier block list Dean Anderson (Apr 18)
- Re: SMURF amplifier block list Phil Howard (Apr 18)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 19)
- Re: SMURF amplifier block list Alex P. Rudnev (Apr 20)
- Re: SMURF amplifier block list jlixfeld (Apr 20)
- Re: SMURF amplifier block list Dean Anderson (Apr 19)
- Re: SMURF amplifier block list Jason Lixfeld (Apr 24)