Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Smurf Attack

To: [email protected]
Subject: Re: [FW-1] Smurf Attack
From: Volker Tanger <[email protected]>
Date: Fri, 17 May 2002 14:34:56 +0200
Organization: DiSCON GmbH
References: <8744BE923A00D511B9B200B0D0B07E256CEE99@exvhange-fr.mercury-int.fr>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>
User-agent: Mozilla/5.0 (Windows; U; WinNT4.0; de-AT; rv:0.9.9) Gecko/20020311

Greetings!

Serge Vondandamo wrote:


 From my scan reports, I start seeing warnings about the "smurf attack"
on my DMZ.
Does anyone know how to effectively block this kind of vulnerability on
the FW-1 level ?

I already did it on the hosts level and it didn't fix the problem.
Thank you for any input.

Okay, some background:

A SMURF attack does ping (i.e. send ICMP echo-request) with a faked
sender IP address to the network's broadcast address, e.g. 192.168.1.255
(assuming 192.168.1.*/24 is your network).

This way each and every system in the network answers with ICMP
echo-reply. This way you can abuse your network as DDoS amplifier: one
(smurf-) ping to you gives many (up to 253 in our example) packets to
the victim. Plus the victim sees that it is attacked by "you".


Smurf's cousin FRAGGLE tries to do the same trick with the network base
address, in our case 192.168.1.0 - which is not as efficient because
less systems answer to requests to the base address than do to the
broadcast address.

Now how to prevent:

Simply block all requests (or at least ICMP-echo-replies) to the network
base and broadcast addresses.

Beware: if you do so, set the (probably enabled) Accept-ICMP  (policy ->
preferences -> security policy) to "before last" that the block is
effective.

Bye
       Volker

--

-------------------------------------------------------------------
[email protected]                                 discon GmbH
IT-Security Consulting                           Wrangelstrasse 100
http://www.discon.de/                         10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74  b94c c68e

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- [FW-1] Smurf Attack
  - From: Serge Vondandamo <[email protected]>

Prev by Date: Re: [FW-1] RBL List?
Next by Date: Re: [FW-1] Des / 3des
Previous by thread: [FW-1] Smurf Attack
Next by thread: Re: [FW-1] Smurf Attack
Index(es):
- Date
- Thread