|
2000103 : Smurf denial of service |
|
Medium RiskQuick Links
- Event Description
- Products that have this security check
- Affected platforms
- How to remove this vulnerability
- References
- Information about this document
Event description
In a Smurf denial of service attack, ICMP echo request (ping) packets addressed to an IP broadcast address cause a large number of responses. When each host on the subnet replies to the same ping request, the large number of responses can consume all available network bandwidth, especially if data is appended to the ping request. This can prevent legitimate traffic from being transmitted during the attack. This attack is frequently used against third parties, where an attacker forges the target's source address in a Smurf attack against a different target. At the extreme, this attack can simultaneously disable both targets.
Windows systems do not respond to broadcast pings. However, this does not mean that all Microsoft networks are invulnerable to Smurf attacks.
Products that have this security check
- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- Proventia Desktop
- Proventia Network IDS
- Proventia Network IPS
- Proventia Network MFS
- Proventia Server for VMware
- Proventia Server IPS for Linux technology
- Proventia Server IPS for Microsoft Windows technology
- RealSecure Desktop
- RealSecure Desktop Protector
- RealSecure Desktop Protector 3.6
- RealSecure Guard
- RealSecure Network
- RealSecure Sentry
- RealSecure Server Sensor
| Smurf_Attack | |
This signature detects a possible Smurf amplifier attempt; an ICMP echo frame sent to a subnet address (x.x.x.0 or x.x.x.255). This may cause a flurry of echo responses, which can overwhelm the network or the systems involved. This is commonly known as the Smurf attack. This signature replaces Smurf. | |
| False Positive: | A false positive can occur when the signature is triggered by people sending out broadcasts on the local segment. This is commonly seen by people inside corporate networks or on cable-modem segments. While this does not indicate an attempt to use your network as an Smurf amplifier, it does indicate that somebody is attempting discovery operations on your network. |
Affected platforms
- Various vendors Any application
How to remove this vulnerability
Reconfigure your perimeter router or firewall to block ICMP echo requests on your internal network and block ICMP echo replies from entering your network. This will prevent someone from using your network to mount a SMURF attack against another target. It will also prevent an external attacker from targeting your hosts. However, neither of these actions will stop internal SMURF attacks.
References
SANS Institute Resources Web site
Help Defeat Denial of Service Attacks: Step-by-Step
http://www.sans.org/dosstep/index.htm
CIAC Information Bulletin K-032
DDoS Mediation Action List
http://www.ciac.org/ciac/bulletins/k-032.shtml
CIAC Information Bulletin I-021a
"smurf" IP Denial-of-Service Attacks
http://www.ciac.org/ciac/bulletins/i-021a.shtml
FreeBSD Security Advisory FreeBSD-SA-98:06
smurf attack
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-98:06.icmp.asc
Cisco Systems Technical Tips
"Smurfing": The Latest in Denial of Service Attacks
http://www.pentics.net/denial-of-service/presentations/
CERT Advisory CA-1998-01
smurf IP Denial-of-Service Attacks
http://www.cert.org/advisories/CA-1998-01.html
Pentics.net Web site
THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
http://www.pentics.net/denial-of-service/white-papers/smurf.cgi
Common Vulnerabilities and Exposures
ICMP messages to broadcast addresses are allowed, allowing for a Smurf attack that can cause a denial of service.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0513
BugTraq
Multiple Vendor Smurf Denial of Service Vulnerability
http://www.securityfocus.com/bid/147
Information about this document
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.
Copyright © 1997 – 2010 IBM Internet Security Systems. All rights reserved.
This page was created on Tue Feb 9 00:42:02 2010