vulnerabilities and SMURF

fdudek · ‎03-21-2007

Hi,

I don't want this forum to degrade into a hacker's den, but as an Academy instructor I'm always interested in the way things work...

So, recently I have looked a bit more into network attacks and picked out SMURF as a good example of a DDoS attack.

Replicating this in my Academy lab with 2 LANs and a couple of 2600 routers proved difficult however:

As far as I understand it, SMURF relies on the multiplication of ICMP replies targeted at one partiular host. That multiplication is achieved by spoofing that machine's IP address in the IMCP request which is sent by broadcast to many intermediate "attack hosts".

Now on all the forums I read, the best mitigation for this is to disable broadcast forwarding on the routers ("no ip directed-broadcast" is default on all IOS after 12.1).

My question (because one of my students asked me): How can this possibly be happening on the internet? Why do some internet backbone routers still forward directed broadcasts? What is their legitimate use? CCNA teaches us that routers break up broadcast domains. So that's not quite true then??

Has anyone ever experimented with this? Any insight would be greatly appreciated.

Best

Frank Dudek CCNP

mhellman · ‎03-21-2007

I don't believe SMURF attacks are very common these days. There is always going to be old/misconfigured routers somewhere on the Internet though, so I suppose they still happen.

"Why do some internet backbone routers still forward directed broadcasts?"

I don't see how a backbone router could know that the destination address is a broadcast address.

"CNA teaches us that routers break up broadcast domains."

that is true, but I don't see how that is relevant here. The router has received a packet with a destination IP that is a broadcast address on another interface.