Signature Detail

ICMP: Smurf DoS

This protocol anomaly is an ICMP packet sent to a destination IP of 255.255.255.255 or to an all broadcast MAC address (ff:ff:ff:ff:ff:ff). Because this is a broadcast packet, all hosts in the broadcast segment reply to the sender, causing a denial-of-service (DoS) on the network. Attackers typically spoof the source IP of the packet to generate this attack.

Extended Description

The "Smurf" denial of service exploits the existance, and forwarding of, packets sent to IP broadcast addreses. By creating an ICMP echo request packet, with the source address set to an IP within the network to be attacked, and the destination address the IP broadcast address of a network which will forward and respond to ICMP echo packets sent to broadcast. Each packet sent in to the network being used to conduct the attack will be responded to by any machine which will respond to ICMP on the broadcast address. Therefore, a single packet can result in an overwhelming response count, all of which are directed to the network the attacker has forged as the source. This can result in significant bandwidth loss.

Affected Products

• Digital UNIX 3.2.0 G
• Digital UNIX 4.0.0
• Digital UNIX 4.0.0 A
• Digital UNIX 4.0.0 B
• Digital UNIX 4.0.0 C
• Digital UNIX 4.0.0 D
• FreeBSD 1.1.5 .1
• FreeBSD 2.0.5
• FreeBSD 2.1.0
• FreeBSD 2.1.5
• FreeBSD 2.1.6
• FreeBSD 2.1.7 .1
• FreeBSD 2.2.2
• FreeBSD 2.2.3
• FreeBSD 2.2.4
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• IBM AIX 3.1.0
• IBM AIX 3.2.0
• IBM AIX 3.2.4
• IBM AIX 3.2.5
• Linux kernel 2.0.0
• Linux kernel 2.1.0
• NetBSD 1.2.0
• Sun Solaris 2.4
• Sun Solaris 2.4_x86
• Sun Solaris 2.5
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_ppc
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.5_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86

References

• BugTraq: 147
• CERT: CA-1998-01
• CVE: CVE-1999-0513
• URL: http://www.securityfocus.com/advisories/176