Amplification Attacks: Smurf, Papasmurf, Fraggle - D-Link NetDefend DFL-210 User Manual

6.6.7. Amplification attacks: Smurf,
Papasmurf, Fraggle
• By stripping the URG bit by default from all TCP segments traversing the system (configurable
via Advanced Settings > TCP > TCPUrg).
WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the
rule in your policy that disallowed the connection attempt. For connections allowed through the
system, "TCP" or "DROP" category (depending on the TCPUrg setting) entries will appear, with a
rule name of "TCPUrg". The sender IP address is not likely to be spoofed; a full three-way
handshake must be completed before out-of-band segments can be sent.

6.6.7. Amplification attacks: Smurf, Papasmurf, Fraggle

This category of attacks all make use of "amplifiers": poorly configured networks who amplify a
stream of packets and send it to the ultimate target. The goal is excessive bandwidth consumption -
consuming all of the victim's Internet connection capacity. An attacker with sufficient bandwidth
can forgo the entire amplification stage and simply stream enough bandwidth at the victim.
However, these attacks allows attackers with less bandwidth than the victim to amplify their data
stream to overwhelm the victim.
• "Smurf" and "Papasmurf" send ICMP echo packets to the broadcast address of open networks
with many machines, faking the source IP address to be that of the victim. All machines on the
open network then "respond" to the victim.
• "Fraggle" uses the same general idea, but instead using UDP echo (port 7) to accomplish the
task. Fraggle generally gets lower amplification factors since there are fewer hosts on the
Internet that have the UDP echo service enabled.
Smurf attacks will show up in NetDefendOS logs as masses of dropped ICMP Echo Reply packets.
The source IP addresses will be those of the amplifier networks used. Fraggle attacks will show up
in NetDefendOS logs as masses of dropped (or allowed, depending on policy) packets. The source
IP addresses will be those of the amplifier networks used.
Avoiding Becoming an Amplifier
Even though the brunt of the bandwidth stream is at the ultimate victim's side, being selected as an
amplifier network can also consume great resources. In its default configuration, NetDefendOS
explicitly drops packets sent to broadcast address of directly connected networks (configurable via
Advanced Settings > IP > DirectedBroadcasts). However, with a reasonable inbound policy, no
protected network should ever have to worry about becoming a smurf amplifier.
Protection on the Victim's Side
Smurf, and its followers, are resource exhaustion attacks in that they use up Internet connection
capacity. In the general case, the firewall is situated at the "wrong" side of the Internet connection
bottleneck to provide much protection against this class of attacks. The damage has already been
done by the time the packets reach the firewall.
However, NetDefendOS may be of some help in keeping the load off of internal servers, making
them available for internal service, or perhaps service via a secondary Internet connection not
targeted by the attack.
• Smurf and Papasmurf floods will be seen as ICMP Echo Responses at the victim side. Unless
"FwdFast" rules are in use, such packets are never allowed to initiate new connections,
regardless of whether or not there are rules that allow the traffic.
• Fraggle packets may arrive at any UDP destination port targeted by the attacker. Tightening the
inbound rule set may help.
The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it
reaches protected servers.
278
Chapter 6. Security Mechanisms