The Internet has always been a strong self-policing entity. ISPs, mail administrators and others have long collaborated in an effort to combat misuse of the Internet and security issues. In some cases, this self-policing has grown into full-blown Web sites dedicated to searching, reporting and publishing information about Internet sites that are broken in some way. In the August 23 newsletter, we discussed how this approach is used to combat Unsolicited Commercial Email (UCE) - SPAM. Similar efforts have been undertaken to solve a problem occurring on a lower network layer: Smurf Amplifier Attacks.
What is a Smurf Amplifier Attack?
Advertisement: |
A Smurf Amplifier Attack is a very interesting network layer attack against host systems. It leverages the power of unaware hosts on misconfigured IP networks, causing them to flood the target host with traffic. Here's how it works:
A cracker wants to bring down the host at IP address 10.10.10.11. This person runs the smurf program, which sends a ping request to a third party network's broadcast address, in this example 192.168.1.255. If the router connected to the 192.168.1.0 network is configured for directed broadcasts (many are), all the hosts on that network will respond to the ping request. The fun part of the ping packet is that the smurf program spoofs the return address, inserting any poor host's IP address, in this case 10.10.10.11. So with a single packet sent to the right network, a cracker can cause hundreds of packets to flood the target host, sent by a third-party network, which is in essence, an unaware, unpaid hitman.
Smurf Amplifier Attacks have often been performed on Internet Relay Chat hosts, turning chat into an ICMP version of Doom. However, it is not just the smurf target that is victimized - the third party network, its ISP, other users of the same ISP - anyone impacted by the packet storm and loss of bandwidth.
What can you do about smurf?
The problem and solution lie within the network router. Most older routers, and many new ones, default to allowing directed broadcasts.
While the solution is relatively simple, if it isn't the default, it won't get changed in many cases. Enter the concerned network administrators as network activists. Two Web sites have been created to address this problem: netscan.org and the Smurf Amplifier Registry (SAR). Both sites take the direct approach to solving this problem. You can enter networks to be tested that you suspect have this problem. Both sites list the networks that are the worst offenders. Netscan.org also lists the responsible e-mail addresses out of the appropriate network registry. SAR goes one further: you can download the database in Cisco Access Control Lists format, allowing you to import the problem networks into your router with "DENY" ACL records. SAR appears to be a well-maintained and automated site, while netscan.org appears to be an on-again, off-again project, as time permits.
If you want to avoid showing up on these sites, help is available to configure your routers to deny directed broadcasts:
According to Cisco, as quoted in CERT advisory CA-98.01.smurf, the corrective action is: "Disabling IP directed broadcast for all interfaces on which it is not needed. This must be done on all routers in the network, not just on the border routers. The command "no ip directed-broadcast should be applied to each interface on which directed broadcasts are to be disabled."
If you use a multihomed Linux system as a router, there is not a single command such as in Cisco. You can install ipfw and configure the system to drop ICMP packets destined for .0 or .255:
ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8
(replace 123.123.123.0 and 123.123.123.255 with your base network number and broadcast address, respectively)
The presence of these informational Web sites has been credited with bringing this problem to the attention of network administrators, resulting in the repair of several thousand networks. However, there are many networks still in need of repair, including some embarrassingly high-profile nets. If you have responsibility for Internet-connected routers, you should check out these registries and your configuration to make sure you aren't helping smurf attackers flood the 'Net.
RELATED LINKS
Smurf Amplifier Registry (SAR)
Technote by Craig Huegen for smurf solutions for a variety of systems
Don't smurf me up
Network World, 01/06/99
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
