[5401] in bugtraq
Re: `smurf' multi-broadcast icmp attack
daemon@ATHENA.MIT.EDU (Jon Lewis)
Thu Oct 16 15:10:56 1997
Date: Thu, 16 Oct 1997 11:10:06 -0400
Reply-To: Jon Lewis <jlewis@INORGANIC5.FDT.NET>
From: Jon Lewis <jlewis@INORGANIC5.FDT.NET>
X-To: Therapy? <therapy@GUARDIAN.HTU.TUWIEN.AC.AT>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.971016142041.1808A-200000@guardian.htu.tuwien.ac.at>
On Thu, 16 Oct 1997, Therapy? wrote:
> My host has been abused for flooding with the "smurf-exploit", posted to
> bugtraq, so I patched my kernel to do not reply to ICMP_ECHO addressed to
> an IP address which doesnt belong to the host (broadcasted pkt).
Why hack and slash at your kernel when you can accomplish the same goal
with ipfwadm?
ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8
replace 123.123.123.0 and 123.123.123.255 with the actual network and
broadcast addresses for your lan.
> I recommand to install icmplog included in the iplogger packet, available
> at
> ftp://ftp.tu-graz.ac.at/pub/linux/redhat-contrib/SRPMS/iplogger-0.1-1.src.rpm
> to find out if you're abused by smurf to flood..
If you're being used as a smurf amplifier...you'll know.
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/message.
Florida Digital Turnpike |
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
