- 1. Attacker sends sustained ICMP Echo packets to broadcast address of the amplifying network xxx.255, with source address is forged to read the victimís IP address
- 2. Since traffic was sent to broadcast address all hosts in the amplifying LAN will answer to the victimís IP address
- similar to Smurf, but sends UDP packets to port 7 (echo) of the broadcast address.
- Prevent being an amplifying LAN: disable directed broadcast functionality at the border router and set OS firewall to not respond to broadcast ECHO requests (see book for specific OS commands)
- Victim sites: limit ICMP requests at the border router and contact ISP to do the same, when under attack.