[11486] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Netstat Webmaster)
Wed Jul 30 17:28:06 1997
Date: Wed, 30 Jul 1997 16:57:34 -0400 (EDT)
From: Netstat Webmaster <feh@netstat.net>
To: Systems Engineer <snash@lightning.net>
cc: "Alex.Bligh" <amb@xara.net>, nanog@merit.edu
In-Reply-To: <33DFA25A.32A92434@lightning.net>
On Wed, 30 Jul 1997, Systems Engineer wrote:
> Actually people are making it seem that the entire MAE is sending you an
> echo. No one is mounting an attack from there, they are just making it
> look like it is coming from there.
Well thats not entirely true. In effect the victim is indeed being
'attacked' by MAE machines on that network. Look at it like this:
evil.com -> generates packet with forged address as
(victim.com(icmp_echo)) -> destination for spoofed packet (25 .255
broadcast addresses).
From here... all 25 network's broadcast address pass the icmp with the
forged address on to all machines using that network. Each machine then
replies as:
xxx.xxx.xxx.255
abused.net.com (echo_reply) -> victim.com
abused2.net.com (echo_reply) -> victim.com
yyy.yyy.yyy.255
abused3.othernet.com (echo_reply) -> victim.com
abused4.othernet.com (echo_reply) -> victim.com
[...etc...]
Its a rather obnoxious attack, and its not exactly new. Though I do
think that it will get much worse now that smurf.c has been written and
is being passed around like candy.
The real problem I see with this particular attack is that there is
nothing short of blocking all ICMPs that 'victim.com' can do. At least
not that I am aware of.
Regards,
Tripp
webmaster@http://www.netstat.net
