On Wed, Jun 05, 2002 at 04:04:06PM +0200, Maciej Soltysiak wrote: > > A Smurf attack is effective just by the sheer weight of traffic sent to > > you, rather than because of any weakness in your host, so unfortunately > > there is nothing you can do on your host to harden it against this type > > of onslaught.
> How about: > - blocking ICMP directed at broadcast addreses? Yes, but that stops you being a source of a smurf attack, rather than the victim. I think the original poster didn't want to be a victim, which I don't think you can prevent bar blocking ICMP from broadcast addresses at the borders ( where "broadcast addresses" isn't as easy to determine as I imply ). Of course, stopping yourself being a source of the problem is good too :) > - setting /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts to 1 :) > - adding anti-spoofing rules, smurf attacks may have spoofed IPs, and that > is when the attack gets its sharp edge. It may be spoofed as if it is > originating from your network. No they won't, they'll be spoofed as the IP address of the victim. Well, unless one of your IP addresses is the intended victim, but that strikes me as unlikely - and it'd be hard to spot without MAC address checking rules anyway. > The same goes for fraggle attacks, those are UDP brodcast packets to > unserved ports with spoofed IPs. > > If the destination and source IPs are in the same subnet, we can have > the net attacking itself. > > I guess that is what we are talking about. Sort of. I think. Probably. Not that this is another vague term or anything :) -- FunkyJesus System Administration Team
