On Sun, 21 Jun 1998, Henry Linneweh wrote:
Now that we have gotten down to the nitty gritty here.
AGAIN the main mechanism for spoofing the smurf attacks is A program call wingate, ban that code and this problem will be cut more than in half.
What does wingate have to do with this? Smurf attack is the term used for an ICMP echo based denial of service attack caused by sending a forged icmp echo request to a brodcast network address. The attacker forges the source address of the icmp echo request to that of his victim, so all ICMP echo replies come back and flood the victim(s). Now, these packets can be hand forged by anyone with a moderate knowledge of C and root on a UN*X workstation. Don't fix the symptom, but fix the reason these attacks work. Packet authentication is the answer down the line, but for now it's getting the twonks with their networks open to fix the problem. This DoS can also be done with UDP echo, and UDP packets are much easier to forge/spoof than TCP.
Next there is a rumor that 8000 users have been infected with a tweaked system.exe file that makes that user a smurf amplifier unwittingly. These are things to watch for. I wish there was an easier way to break bad news.
I fell out of my chair at that statement. One user/host cannot be a smurf amplifier; one network from a /30 and down can with different results. Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services Any spelling mistakes and/or grammar errors are due to lack of sleep...
Henry