--TWZuhs/Hf4wAGqVJ Content-Type: text/plain; charset=us-ascii 2000-02-17-10:14:19 Troy Henley: > Could you describe what "smurf" is? Smurf attacks, named after the first released program that implemented them, use directed ICMP broadcast packets with forged source addresses. Say you're an attacker. Say you are on some random net, with some arbitrary address; your net and address don't show up in the packets, so I won't illustrate them. Say there's a big, big network whose network number is 172.20.0.0, a Class B network, directly connected to the internet. 65,534 possible host addresses in that net. The net isn't completely filled with hosts, of course, but say it's using c. 1/4 of the addresses; that's about 16,000 hosts. Now suppose you send an ICMP echo packet, the packet type normally used by the "ping" command, which makes the remote host echo the packet back. Make it a fairly big packet, with perhaps 1KB of data. Send it to the broadcast address for that network, 172.20.255.255, and forge the source address to be your intended victim's source address. If nobody is doing filtering for the various illegalities in this packet, then what'll happen is that all 16,000 will see the packet, and they'll all try and echo it back to the (forged) source address; voila, you just sent 1KB out, and the hosts on this net responded by blasting 16MB at your victim. So keep it up all day long. An unprotected, heavily populated Class B is probably more than you'll actually find to use for this, but if you can find a handful of reasonably big nets, and use them all at once, a dialin user with a simple modem connection can generate a bad enough flood to take down a fairly big site. I believe there's a blacklist already available somewhere that tries to keep track of known smurf amplifier networks, networks whose broken configuration allows them to be used this way. -Bennett --TWZuhs/Hf4wAGqVJ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4rB1pL6KAps40sTYRAWmcAJ0SGps8HzJuz6uZ/z4SnWpXC9/z+gCfb9qf /fRs4PGL5SwduTXezrSVXa0= =tu9G -----END PGP SIGNATURE----- --TWZuhs/Hf4wAGqVJ--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:09 PDT