[lug] Smurfing

Greg Horne jeerygh at hotmail.com
Wed Aug 15 15:03:19 MDT 2001 

I have the network behind a Cisco 2524 router, which I am pretty sure is 
configured to only allow outgoing traffic from my IP class.  Do you think it 
would be okay to leave icmp echo on in the linux boxes or not?

Thanks,
Greg Horne

>From: "John Hernandez" <John.Hernandez at noaa.gov>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] Smurfing
>Date: Wed, 15 Aug 2001 14:33:26 -0600
>
>Greg Horne wrote:
> >
> > Hi all!
> >
> > I recently was reading about Smurfing and decided to test my linux box.  
>I
> > typed this command:
> > ping -c 10 -s 1 -q -b 207.202.197.0
> >
> > and received the output:
> >
> > WARNING: pinging broadcast address
> > PING 207.202.197.0 (207.202.197.0) from 207.202.197.4 : 1(29) bytes of 
>data.
> >
> > --- 207.202.197.0 ping statistics ---
> > 10 packets transmitted, 10 packets received, +63 duplicates, 0% packet 
>loss
> >
> > The +63 duplicates is what the website I was reading told me to be 
>concerned
> > about (http://ibelgique.ifrance.com/secur/docs/smurf.txt)
> >
> > So I go to http://www.netscan.org and http://www.powertech.no/smurf/
> > .  They scan my ip class and say that I'm fine, telling me that i'm not
> > being used for Smurfing.  I am confused.  I have that +63 duplicates 
>thing,
> > and i'm A. Not being USED for these type of attacks or B.  I'm not 
>vunerable
> > to be used by these attacks?  Which is it?
> >
> > If I am vunerable (that +63 duplicates thing again) how can I fix my 
>boxes?
> >
>
>What netscan is telling you is that a router between you and them is 
>filtering out these "broadcast" pings.  Good thing, and fairly standard 
>these days.  You do apparently have boxes that respond to network address 
>pings, but only someone on the local network can cause that behavior 
>(assuming your first-hop routers are filtering those).  That may or may not 
>be a matter of concern for you, depending on who uses your network, I 
>guess.  Most kernels have a parameter that turns off broadcast echo 
>replies.  On linux: net.ipv4.icmp_echo_ignore_broadcasts = 1.
>
>-John
>
>
> > Thanks for any help,
> > Greg Horne
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at 
>http://explorer.msn.com/intl.asp
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>--
>
>   - John Hernandez - Network Engineer - 303-497-6392 -
>  |  National Oceanic and Atmospheric Administration   |
>  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
>   ----------------------------------------------------
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

More information about the LUG mailing list