[lug] Smurfing
John Hernandez
John.Hernandez at noaa.gov
Wed Aug 15 14:33:26 MDT 2001
Greg Horne wrote:
>
> Hi all!
>
> I recently was reading about Smurfing and decided to test my linux box. I
> typed this command:
> ping -c 10 -s 1 -q -b 207.202.197.0
>
> and received the output:
>
> WARNING: pinging broadcast address
> PING 207.202.197.0 (207.202.197.0) from 207.202.197.4 : 1(29) bytes of data.
>
> --- 207.202.197.0 ping statistics ---
> 10 packets transmitted, 10 packets received, +63 duplicates, 0% packet loss
>
> The +63 duplicates is what the website I was reading told me to be concerned
> about (http://ibelgique.ifrance.com/secur/docs/smurf.txt)
>
> So I go to http://www.netscan.org and http://www.powertech.no/smurf/
> . They scan my ip class and say that I'm fine, telling me that i'm not
> being used for Smurfing. I am confused. I have that +63 duplicates thing,
> and i'm A. Not being USED for these type of attacks or B. I'm not vunerable
> to be used by these attacks? Which is it?
>
> If I am vunerable (that +63 duplicates thing again) how can I fix my boxes?
>
What netscan is telling you is that a router between you and them is filtering out these "broadcast" pings. Good thing, and fairly standard these days. You do apparently have boxes that respond to network address pings, but only someone on the local network can cause that behavior (assuming your first-hop routers are filtering those). That may or may not be a matter of concern for you, depending on who uses your network, I guess. Most kernels have a parameter that turns off broadcast echo replies. On linux: net.ipv4.icmp_echo_ignore_broadcasts = 1.
-John
> Thanks for any help,
> Greg Horne
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
- John Hernandez - Network Engineer - 303-497-6392 -
| National Oceanic and Atmospheric Administration |
| Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
----------------------------------------------------
More information about the LUG
mailing list