smurf

Craig A. Huegen chuegen at quadrunner.com
Mon Dec 8 18:06:01 UTC 1997


On Tue, 9 Dec 1997, Adrian Chadd wrote:

==>* Filtering ALL ICMP is pretty silly, ICMP is there for more than just
==>  pings, and some of it is important.

I believe he only said he was filtering ICMP echo replies.

==>* If people start doing this, someone with a smidgen of time on their
==>  hands will write a ping flooder that uses random TCP or UDP packets
==>  with spoofed from addresses.

People have been sending spoofed floods for ages.  The problem is that
with a spoofed flood, you must have the bandwidth to send it from.

"smurf" multiplies traffic--a half a T1, pointed at 2 different
co-location networks of a total of 180 hosts, can generate 67.5 Mbit/sec
of traffic!

See http://www.quadrunner.com/~chuegen/smurf.html for technical
information on the attack.  Jake Khuon graciously converted my slide
presentation into a webbified form at
http://www.rsng.net/presentations/nanog11/smurf/index.html

==>I'm curious however - can anyone out there running netflow or something
==>similar give me a breakdown on what kind of ICMP traffic they're seeing?

One side note which is cued in perfectly by this is that netflow exports
(or even "show ip cache flow")  will show you all the hosts that are
sending ICMP echo replies if you're being smurfed.  One provider I know of
has a script which parses the netflow output, sorts it, and then sends it
to the NOC staff which is then responsible for mailing a form letter with
smurf attack information to the InterNIC contact for that network.

/cah





More information about the NANOG mailing list