[nsp] known networks for broadcast ping attacks

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well I happen to know the writer of "smurf.c" and he is really pissed at
how his exploit for this attack has been passed around like candy,  then
again,  he gave it out publically on the IRC.  This bug is exactly like
the one that "pepsi.c" exploited.  Little kids will have their fun with
it, realize that it is dumb and that people are patching themselves
against it, and it will die.
In the meantime ,  I did understand how it works,  just explained it a
little off :).


Netstat Webmaster wrote:

> On Wed, 30 Jul 1997, Systems Engineer wrote:
>
> > Actually people are making it seem that the entire MAE is sending
> you an
> > echo.  No one is mounting an attack from there,  they are just
> making it
> > look like it is coming from there.
>
> Well thats not entirely true.  In effect the victim is indeed being
> 'attacked' by MAE machines on that network.  Look at it like this:
>
> evil.com -> generates packet with forged address as
> (victim.com(icmp_echo)) -> destination for spoofed packet (25 .255
> broadcast addresses).
>
> >From here... all 25 network's broadcast address pass the icmp with
> the
> forged address on to all machines using that network.  Each machine
> then
> replies as:
>
> xxx.xxx.xxx.255
> abused.net.com (echo_reply) -> victim.com
> abused2.net.com (echo_reply) -> victim.com
> yyy.yyy.yyy.255
> abused3.othernet.com (echo_reply) -> victim.com
> abused4.othernet.com (echo_reply) -> victim.com
>
> [...etc...]
>
> Its a rather obnoxious attack, and its not exactly new.  Though I do
> think that it will get much worse now that smurf.c has been written
> and
> is being passed around like candy.
>
> The real problem I see with this particular attack is that there is
> nothing short of blocking all ICMPs that 'victim.com' can do. At least
>
> not that I am aware of.
>
> Regards,
> Tripp
>
> webmaster at http://www.netstat.net



--
---     ---     ---     ---     ---     ---     ---     ---     ---
Steven Nash                             ph:  (516)248-8400ext25
Systems Engineer / Network Security    fax:  (516)248-8897
Lightning Internet Services LLC      email:  snash at lightning.net
http://www.lightning.net
---     ---     ---     ---     ---     ---     ---     ---     ---

• Previous message (by thread): [nsp] known networks for broadcast ping attacks
• Next message (by thread): [nsp] known networks for broadcast ping attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]