catching smurf attack...

catching smurf attack...

Post by Perego Paol » Thu, 09 Nov 2000 04:00:00



Hi guys, I'm writing a module for my computer science thesis work.
I've to catch the smurf attack using netfilter firewalling scheme
( so we are in 2.4.0 kernel series ).
How is filled the broadcast field in the sock structure, and when?

Thanxs

--
$>cd /pub
$>more beer


Tutor at D.S.I. - University of Milan
I'm Linux zion 2.4.0-test9 #2 Fri Oct 27 10:51:12 CEST 2000 i586 unknown

 
 
 

catching smurf attack...

Post by deadmea » Sun, 12 Nov 2000 13:40:55


Quote:> Hi guys, I'm writing a module for my computer science thesis work.
> I've to catch the smurf attack using netfilter firewalling scheme
> ( so we are in 2.4.0 kernel series ).
> How is filled the broadcast field in the sock structure, and when?

do you mean you want to detect if you are:
- the source amplifier in a smurf attack, or
- the target in a smurf attack?

if the former, it should be a simply matter of adding a firewall rule (I
don't know netfilter yet), that logs any packets arriving on your internet
interface destined for your broadcast address. for IPChains, it would be
something like

ipchains -I input 1 -j REJECT -i ppp0 -d 1.2.3.255 -l

where ppp0 is your link to the internet, and 255 is your broadcast address
(mine is 192 since I have a subnet not a whole net, so make sure you know
what it is).

if you get a lot of packets logged for this, it could be indicative of an
attack. a small number may just be a portscan.

 
 
 

catching smurf attack...

Post by Perego Paol » Tue, 14 Nov 2000 04:00:00



>> Hi guys, I'm writing a module for my computer science thesis work.
>> I've to catch the smurf attack using netfilter firewalling scheme
>> ( so we are in 2.4.0 kernel series ).
>> How is filled the broadcast field in the sock structure, and when?
> do you mean you want to detect if you are:
> - the source amplifier in a smurf attack, or
> - the target in a smurf attack?

I have to detect if a smurf attack is starting from my server and
I have to do this in a kernel module that I'm writing. The problem is
that I can't understand how the "broadcast" field, in sk_buff structure
is filled up ! :(

                Ciao :)

--
$>cd /pub
$>more beer


Tutor at D.S.I. - University of Milan
I'm Linux zion 2.4.0-test9 #1 Fri Oct 20 14:09:56 CEST 2000 i586 unknown

 
 
 

catching smurf attack...

Post by deadmea » Tue, 14 Nov 2000 04:00:00


Quote:> that I can't understand how the "broadcast" field, in sk_buff structure

can't help you there.

it doesn't matter anyway, like I said - the broadcast address of the remote
could be anything. I have no idea how to get it without using my provider's
whois server either. i suspect not all networks have functional whois
servers, so you can't rely on that.

what you will need to do is check the source IP's of the outgoing packets -
if they are not one of your own, it's spoofed - and that is bad even if it's
not being used in a smurf attack.

ipchains -A output -i eth0 ! -s $MYIP -d 0/0 -j REJECT -l

 
 
 

1. filtering out smurf attack w/ ipchains

There have been some serious problems with smurf attacks on my network, and
I'm considering blocking them with ipchains.
There are two scenarios:
first is the machine which has become the attacker by entering a user acc.
second will be used as a dedicated firewall and should block any attempt
of that kind.

What do I need?

I have come up with something like
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
ipchains -A input -p icmp -d 255.255.255.0 -j DENY
ipchains -A input -p icmp -d 255.255.255.255 -j DENY
ipchains -A input -p icmp -d my.net.xxx.0 -j DENY
I have duplicate set with "-A output"

What about different types of icmp traffic?
What about the differences between the first and the second machine?

Is it OK? It may not be wise to actually start an attack to
check the effectivnes of it :)

--
Computers are useless
They can only give you answers
                        --- Pablo Picasso

2. Elinos, lilo, and ramfs as root

3. smurf attacks against a DSL

4. SCO UNIX mbuf equivalent?

5. Linux Smurf-attack resistance

6. kernel rebuild problem

7. DoS - smurf attack

8. Patching RH 6.0 install

9. smurf attacks..

10. HELP against Smurf attacks

11. How can i protect my box against smurf attacks ?

12. Log Smurf Attacks with Linux IPFWADM

13. Syn floods and smurf attacks