[lug] Smurfing
Gus Huber
gus at pbx.org
Wed Aug 15 16:11:23 MDT 2001
It would probaly be a good idea to make sure you have the following command
on your inside ethernet interface: no ip directed-broadcast
ie:
interface FastEthernet0/1
no ip directed-broadcast
end
which prevents packets from being passed to any broadcast addresses there
might be on that interface.
cheers,
gus huber <gus at pbx.org>
On Wed, Aug 15, 2001 at 09:03:19PM +0000, Greg Horne wrote:
> I have the network behind a Cisco 2524 router, which I am pretty sure is
> configured to only allow outgoing traffic from my IP class. Do you think it
> would be okay to leave icmp echo on in the linux boxes or not?
>
> Thanks,
> Greg Horne
>
> >From: "John Hernandez" <John.Hernandez at noaa.gov>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: Re: [lug] Smurfing
> >Date: Wed, 15 Aug 2001 14:33:26 -0600
> >
> >Greg Horne wrote:
> > >
> > > Hi all!
> > >
> > > I recently was reading about Smurfing and decided to test my linux box.
> >I
> > > typed this command:
> > > ping -c 10 -s 1 -q -b 207.202.197.0
> > >
> > > and received the output:
> > >
> > > WARNING: pinging broadcast address
> > > PING 207.202.197.0 (207.202.197.0) from 207.202.197.4 : 1(29) bytes of
> >data.
> > >
> > > --- 207.202.197.0 ping statistics ---
> > > 10 packets transmitted, 10 packets received, +63 duplicates, 0% packet
> >loss
> > >
> > > The +63 duplicates is what the website I was reading told me to be
> >concerned
> > > about (http://ibelgique.ifrance.com/secur/docs/smurf.txt)
> > >
> > > So I go to http://www.netscan.org and http://www.powertech.no/smurf/
> > > . They scan my ip class and say that I'm fine, telling me that i'm not
> > > being used for Smurfing. I am confused. I have that +63 duplicates
> >thing,
> > > and i'm A. Not being USED for these type of attacks or B. I'm not
> >vunerable
> > > to be used by these attacks? Which is it?
> > >
> > > If I am vunerable (that +63 duplicates thing again) how can I fix my
> >boxes?
> > >
> >
> >What netscan is telling you is that a router between you and them is
> >filtering out these "broadcast" pings. Good thing, and fairly standard
> >these days. You do apparently have boxes that respond to network address
> >pings, but only someone on the local network can cause that behavior
> >(assuming your first-hop routers are filtering those). That may or may not
> >be a matter of concern for you, depending on who uses your network, I
> >guess. Most kernels have a parameter that turns off broadcast echo
> >replies. On linux: net.ipv4.icmp_echo_ignore_broadcasts = 1.
> >
> >-John
> >
> >
> > > Thanks for any help,
> > > Greg Horne
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at
> >http://explorer.msn.com/intl.asp
> > >
> > > _______________________________________________
> > > Web Page: http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >--
> >
> > - John Hernandez - Network Engineer - 303-497-6392 -
> > | National Oceanic and Atmospheric Administration |
> > | Mailstop R/OM12. 325 Broadway, Boulder, CO 80305 |
> > ----------------------------------------------------
> >_______________________________________________
> >Web Page: http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list