Here's some more information about the release of the UDP smurf, also called "fraggle", which was made this weekend. I understand a request was made to nanog as well requesting information. Almost the same rules as "smurf" applies. "no ip directed-broadcast" is your friend. /cah ---------- Forwarded message ---------- Date: Mon, 16 Mar 1998 09:35:36 -0800 (PST) From: "Craig A. Huegen" <chuegen@quadrunner.com> To: Cisco-NSP <cisco-nsp@iagnet.net> Cc: Cisco at Colorado <cisco@spot.colorado.edu> Subject: Re: [nsp] UDP broadcast filters. On Mon, 16 Mar 1998 jlixfeld@idirect.ca wrote: ==>I've kept hearing about a UDP smurf floating around and I'd like to put up ==>a firewall to prevent it. Can anyone give me any insight on how this is ==>done? I don't understand enough about UDP, broadcasts or enough about ==>access-lists to create an effective one. Can anyone give me some ==>pointers? I'm going to be updating my smurf pages at http://www.quadrunner.com/~chuegen/smurf/ to contain the information about the UDP smurf. Basically, here's the key points: * UDP smurf is just like the ICMP smurf, using directed-broadcast and UDP port 7 * A bit more dangerous if the packet is spoofed just right, because it can cause and endless packet loop with some stacks until the packets get dropped. Prevention pieces: * "no ip directed-broadcast" still prevents your network from being an intermediary * Disable the internal troubleshooting services in machines, where possible. For UNIX boxes, comment the "echo" and "chargen" services in inetd.conf and restart inetd: #echo stream tcp nowait root internal #echo dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal * It's easier to filter UDP smurfs without breaking something. For instance, filtering ICMP smurfs required that you break ping (and block ICMP echo-reply packets) access-list <x> deny udp any eq echo any access-list <x> deny udp any any eq echo Adding these to an inbound access-list will protect the traffic from getting past. You should see more information on my pages in a few days. /cah