On Mon, 16 Mar 1998 jlixfeld@idirect.ca wrote:
==>I've kept hearing about a UDP smurf floating around and I'd like to put up
==>a firewall to prevent it. Can anyone give me any insight on how this is
==>done? I don't understand enough about UDP, broadcasts or enough about
==>access-lists to create an effective one. Can anyone give me some
==>pointers?
I'm going to be updating my smurf pages at
http://www.quadrunner.com/~chuegen/smurf/ to contain the information about
the UDP smurf.
Basically, here's the key points:
* UDP smurf is just like the ICMP smurf, using directed-broadcast and UDP
port 7
* A bit more dangerous if the packet is spoofed just right, because it
can cause and endless packet loop with some stacks until the packets get
dropped.
Prevention pieces:
* "no ip directed-broadcast" still prevents your network from being an
intermediary
* Disable the internal troubleshooting services in machines, where
possible. For UNIX boxes, comment the "echo" and "chargen" services in
inetd.conf and restart inetd:
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
* It's easier to filter UDP smurfs without breaking something. For
instance, filtering ICMP smurfs required that you break ping (and block
ICMP echo-reply packets)
access-list <x> deny udp any eq echo any
access-list <x> deny udp any any eq echo
Adding these to an inbound access-list will protect the traffic from
getting past.
You should see more information on my pages in a few days.
/cah
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:15 EDT