Re: [FW-1] Smurf Attack

Fri, 17 May 2002 06:00:21 -0700 

Greetings!

Serge Vondandamo wrote:
>
>  From my scan reports, I start seeing warnings about the "smurf attack"
> on my DMZ.
> Does anyone know how to effectively block this kind of vulnerability on
> the FW-1 level ?
>
> I already did it on the hosts level and it didn't fix the problem.
> Thank you for any input.


Okay, some background:

A SMURF attack does ping (i.e. send ICMP echo-request) with a faked
sender IP address to the network's broadcast address, e.g. 192.168.1.255
(assuming 192.168.1.*/24 is your network).

This way each and every system in the network answers with ICMP
echo-reply. This way you can abuse your network as DDoS amplifier: one
(smurf-) ping to you gives many (up to 253 in our example) packets to
the victim. Plus the victim sees that it is attacked by "you".


Smurf's cousin FRAGGLE tries to do the same trick with the network base
address, in our case 192.168.1.0 - which is not as efficient because
less systems answer to requests to the base address than do to the
broadcast address.



Now how to prevent:

Simply block all requests (or at least ICMP-echo-replies) to the network
base and broadcast addresses.

Beware: if you do so, set the (probably enabled) Accept-ICMP  (policy ->
preferences -> security policy) to "before last" that the block is
effective.

Bye
        Volker

--

-------------------------------------------------------------------
[EMAIL PROTECTED]                                 discon GmbH
IT-Security Consulting                           Wrangelstrasse 100
http://www.discon.de/                         10997 Berlin, Germany
-------------------------------------------------------------------
PGP-Fingerprint: 5323 a4f7 a7c2 b8ef 4653 05ce d2ea 2b74  b94c c68e

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to