Filtering ICMP (Was Re: SMURF amplifier block list)

Jason Lixfeld said once upon a time:

Seriously.. what do you recommend? I'm totally open. I'm using deny icmp
to protect myself. I'm up to an alternative.

:> You could always "deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm log" on

There apparently is a bit of misunderstanding when it comes to how a smurf
attack works. To understand a smurf attack you need to understand a
standard ping request.

Say we have a remote ping destination, named "target" and a originator of
the ping request named "source". In the first step of a ping request,
"source" sends an ICMP request of "echo" to "target":

  "source" --- ICMP echo ---> "target"

When "target" receives the ICMP echo, it sends back an ICMP echo-reply to
"source"

        "source" <--- ICMP echo-reply --- "target"

Upon reception of the "echo-reply" "source" realizes a good ping and coughs
you back the statistics on how long the whole interaction was.

With a smurf attack you have a perpetrator forging the "source" address,
which in this case could also be known as victim. The perp takes advantage
of open directed-broadcast networks to get lots of addresses responding
back to the "source" (victim) with "echo-reply". Thus the original request
looks like this:

    perp (forged "source") --- ICMP echo ---> "target" (directed-broadcast)

and the reply looks like this:

    "source" (victim) <==== ICMP echo-reply x "target" addresses listening to
                                              the broadcast request for
                                              ping echo

You can easily see how the broadcast size of "target" and whether it is
open to "directed-broadcast" is the fundamental exploit in the smurf
attack. The larger the subnet, the better. However, it is also easy to
see that by blocking just "echo-reply" to certain addresses (IRC servers,
Quake servers, etc), you can at least minimize the effects of the attack.
The sad part is, the en masse echo-replies will still travel over your pipe
to get to your filter and will still consume a significant portion of your
bandwidth.

Note, my understanding of the function of "directed-broadcast" is limited
by the fact that I've never used it in a useful function.

Ok. You know how I always ask the obvious... So, here I go again..

This is only slightly off topic.. If you have no amplifiers
greater than 2x-4x, is there really a need to turn off ip directed
broadcasts?

  And if this is true, doesn't designing your network with minimized
amplifier space sort of negate all this ?

Enlighten me ....

   Richard

Pete Ashdown wrote:

Ok. You know how I always ask the obvious... So, here I go again..

This is only slightly off topic.. If you have no amplifiers
greater than 2x-4x, is there really a need to turn off ip directed
broadcasts?

My feelings there are "why not?". If you are running on a platform (such
as Cisco) that makes it easy to turn off directed broadcast you can only
help by turning it off. In the attacks that have come our way, the
attackers have used almost every size of amplifier. I also suspect that
as network managers become more clueful (a slow painful process) that the
attackers will eventually have to resort to less efficient means of
attack.

  And if this is true, doesn't designing your network with minimized
amplifier space sort of negate all this ?

In some applications that wouldn't be a hard thing to do, but for most
it's nearly impossible.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
Mosher's Law of Software Engineering: Don't worry if it doesn't work
right. If everything did, you'd be out of a job.