Powertech Smurf Amplifier Registry (SAR)

Most of you are probably aware of what a denial of service, and more specifically, a smurf attack is. For those who are not familiar, here is a quick explanation:

Smurf?
A denial of service attack is any attack that is meant to compromise the availability of a system, or in any way prevent it from providing its normal functionality and services. There are many forms of denial of service attacks, but one specifically is quite ingenious. The smurf attack gets its name from the little blue cartoon people you watched as a child. The idea behind a smurf attack is that a single attacker can trigger the activity of hundreds of machines to overwhelm a single target. It works by using ICMP echo request packets with a spoofed source address. The destination address is then the broadcast address of a specific subnet. A broadcast address is an IP address where the host portion has full bits, or is 255 decimal (i.e 192.168.1.255). When this IP address is used, it will cause the packet to be sent to all hosts on that subnet. These hosts will then all send ICMP echo response packets to the spoofed IP address. If there are enough hosts, this will cause the target system to lose its availability. If you do the math, you can figure out how many smurfs are needed to take out a T1, etc.

T1 = 1.544 MBPS = 1,619,001.34 bytes
Max Sized Ping = 65535 bytes
1,619,001.34 / 65535 = 24.7

that means that 24.7 max sized ping packets can consume an entire T1 line… I think you get the idea.

Smurf Amplifier Registry
The tricky part is finding systems to use as your “smurfs”. However, there is a quite useful website by the Norwegian group Powertech. They refer to it as their Smurf Amplifier Registry. It is a list of networks that are incorrectly configured in a manner that allows them to be used as smurfs. The registry is updated every 5 minutes, and you can even test your own network for its vulnerability (however, if you are, you are added to the list!). Sometimes they have a pretty hefty network on the list, which could successfully smurf some substantial targets. Anyway, check out the SAR here!

For those interested, you should also check out the “Fraggle” attack. I assume it gets its name from Fraggle Rock. It is pretty much just a UDP version of the smurf attack.

Prevention:

The steps to prevent your network from becoming a smurf amplifier is quite simple. It involves two steps.

  • configure hosts to not respond to broadcasted pings.
  • configure the router with the following command:


no ip directed-broadcast

this will prevent your network from allowing those pings to the broadcast address.

Advertisements

4 Responses to “Powertech Smurf Amplifier Registry (SAR)”

  1. Wow, 25 hosts and they are done?! That is crazy. How does one go about altering the various fields in an ICMP packet? Just some application you download? Well, maybe this isn’t such a good thing to discuss on your blog. Probably violates some Terms of Service contract you agreed to. 🙂 We shall continue this dicussion in person.

    • There are certain tools you can use to alter and custom forge your own packets. However, the ping command itself comes with built-in options that let you set size (-l in windows), etc.

  2. Nick Olsen Says:

    no I was referring to fields like source ip and source mac address

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: