[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Smurf Attack
Greetings! Serge Vondandamo wrote:
Okay, some background: A SMURF attack does ping (i.e. send ICMP echo-request) with a faked sender IP address to the network's broadcast address, e.g. 192.168.1.255 (assuming 192.168.1.*/24 is your network). This way each and every system in the network answers with ICMP echo-reply. This way you can abuse your network as DDoS amplifier: one (smurf-) ping to you gives many (up to 253 in our example) packets to the victim. Plus the victim sees that it is attacked by "you".
Now how to prevent: Simply block all requests (or at least ICMP-echo-replies) to the network base and broadcast addresses. Beware: if you do so, set the (probably enabled) Accept-ICMP (policy -> preferences -> security policy) to "before last" that the block is effective. Bye Volker -- ------------------------------------------------------------------- [email protected] discon GmbH IT-Security Consulting Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany ------------------------------------------------------------------- PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74 b94c c68e ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|