Generic attacks

• Smurf

  • 1. Attacker sends sustained ICMP Echo packets to broadcast address of the amplifying network xxx.255, with source address is forged to read the victim’s IP address
  • 2. Since traffic was sent to broadcast address all hosts in the amplifying LAN will answer to the victim’s IP address

• Fraggle

  • similar to Smurf, but sends UDP packets to port 7 (echo) of the broadcast address.

• Countermeasures

  • Prevent being an amplifying LAN: disable directed broadcast functionality at the border router and set OS firewall to not respond to broadcast ECHO requests (see book for specific OS commands)
  • Victim sites: limit ICMP requests at the border router and contact ISP to do the same, when under attack.

attacker

victim

amplifying

LAN

Previous slide

Next slide

Back to first slide

View graphic version