Re: How to prevent smurf atacks?

Thu, 13 Jun 2002 11:49:44 -0700 

On Wed, Jun 05, 2002 at 09:53:03AM -0400, Ramin Alidousti wrote:
> On Wed, Jun 05, 2002 at 01:27:41PM +0000, Francisco Alfonso Martinez Lopez wrote:


> > Hi everybody,how I can denied smurf atacks over my host,it's a single 
> > connection to Internet,any possibilitie of denied smurf atack on the 
> > firewall?(my host execute dual boot:suse linux&windows)

> What exactly do you mean by "smurf attack"? Let us know and
> the rules will follow...

        A smurf attack is a spoofed ICMP packet (or possibly UDP packet,
but ICMP ECHO is the classic form) directed to a network broadcast address
and spoofed to be from the target.  The result is a flood of packets
from all the responding hosts hitting the target and potentially overwhelming
his bandwidth.  This is often referred to as smurf amplification and the
exploitable network referred to as a smurf amplifier.

        The prevention is to block directed (that is routed over a router)
broadcasts.  If he only has a single host with a single IP address, I don't
see how smurf affects him.  He could refuse to respond to any incoming
requests which are addressed to the broadcast address of the network
to which he's connected.  That would be a valid action on, say, a cable
modem where you are a member of a network.  But it only eliminates that
one IP address from participating.  I don't think it would be meaningful
if it were a dialup to an ISP where you just have a point to point
connection, though.

        The correct solution needs to be applied at the final (local)
router, though.  That is the device which should block any incoming
packets directed at the local broadcast address from outside of the
network.  Outside of that router, you can't reliably determine what
constitutes the local broadcast address and it's the single point where
external attacks can be stopped for the entire network.

> Ramin
> 
> > 
> > Thanks in advance,folks!!(...and sorry for my english)
> > 
> > 
> > 
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
> > 

-- 
 Michael H. Warfield    |  (770) 985-6132   |  [EMAIL PROTECTED]
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Reply via email to