Preventing "Smurf" amplifying attacks

The “smurf” attack, named after its exploit program, is an attack in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses (either subnet or not), all of it having a spoofed source address of a victiim.

If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function noted below, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying (amplifying) the traffic by the number of hosts responding. On a multi-access broadcast network (i.e. Ethernet), there could potentially be hundreds of machines to reply to each packet.

There are two parties who are hurt by this attack:

  • The intermediary (broadcast) devices, called amplifiers
  • The spoofed address target, or the victim

The victim is the target of a large amount of traffic that the amplifiers generate, as a consequence of replying to the ICMP echo request received at the broadcast address.

Preventing Linux hosts from responding to ICMP echo requests targeted to the broadcast address

There is a “sysctl” knob which controls if the Linux kernel should ignore any received ICMP echo request packets whose destination is the broadcast address. This knob is:

net.ipv4.icmp_echo_ignore_broadcast

Setting it to 1 will make the kernel to silently drop any incoming ICMP echo request targeted at a broadcast address, either subnet (i.e. 192.168.0.255) or global (255.255.255.255). When set to 0, the host may respond to any received ICMP echo request packet targeted at a broadcast address.

Thus, the recommended value for this knob is 1.

An entry can be added to the file “/etc/sysctl.conf” with the following syntax:

net.ipv4.icmp_echo_ignore_broadcast=0|1

Preventing Mac OS X hosts from responding to ICMP echo requests targeted to the broadcast address

Since Mac OS X is a FreeBSD underneath, there exists a “sysctl” knob used to control whether Mac OS X should respond to ICMP echo requests targeted at the broadcast address. This knob is:

net.inet.icmp.bmcastecho

When set to 1 (the default value), the kernel may respond to ICMP echo requests targeted to the broadcast address. Setting it to 0 will prevent the kernel from responding to such packets.

Thus, the recommended value for this knob is 0.

An entry can be added to the file “/etc/sysctl.conf” (which could be an empty file or even exist) with the following syntax:

net.inet.icmp.bmcastecho=0|1

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s