Note: The stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. Check the dot next to the link to this tutorial on the previous page to find out the actual severity level.
CVE 1999-0513
The Smurf attack, and other attacks of this type, such as Fraggle and Papasmurf,
form a category of network-level attacks against hosts. Smurf, and Smurf type attacks, begin
when a hacker sends a large amount of ICMP
echo (ping) traffic to a subnet broadcast address
(say, for instance, xxx.xxx.xxx.255 - the 255 number marks this as a broadcast address). This
traffic will have a spoofed return address. This spoofed address will be the address of the
intended victim of the attack. When individual machines on the network receive the ICMP echo
requests, they will reply with an echo reply. These
replies will all go to the address spoofed in the original ICMP echo requests. On networks with
a large number of systems, the traffic generated could be voluminous indeed. The system which
is the victim of the attack (as indicated by the spoofed IP address) quickly becomes overwhelmed
by incoming traffic, and will almost certainly lose connectivity to the Internet.
Actually, there are two victims of this type of attack when it is run: the network which is exploited to generate the ICMP traffic (called the intermediary, or "helper" network) and the system indicated by the spoofed IP address.
CVE 1999-0514
The Fraggle DoS attack is essentially based on the same concept as the Smurf
attack (namely that generating huge amounts of network traffic will
disable a machine or cause it to lose connectivity to the Internet),
but uses UDP instead of ICMP. Although it is not as serious as some
other attacks of this type, it will still generate a huge amount of network
traffic.
CVE 1999-0103
UDP Flood attacks exploit UDP services which are known to reply to
packets.
Here is how it works: a hacker is armed with a list of broadcast
addresses, to which he/she sends spoofed UDP packets. Usually the packets
are directed to port 7 on the target machines, which is the echo port. Other times,
it is directed to the chargen port (a port that generates a number of characters
when queried). Sometimes a hacker is able to set up a loop between the
echo and chargen ports, generating all that much more network traffic
(this attack generally works on NT boxes).
The result of this attack is, as stated earlier, a massive amount of traffic on the network. Whole networks may crawl to a stop and individual systems may lose connectivity to the Internet and/or, in some cases, crash.
Unfortunately, there is no sure method for protecting against being the ultimate target for Smurf type attacks. For the Smurf attack, the surest and safest fix is to configure routers to turn away all incoming ICMP packets. Unfortunately, this will render several ICMP dependent services, such as ping and traceroute, unusable. Other router configuration methods do exist, and you may read about them in PSI's Filter Configuration page. Other methods, such as ICMP filtering and dropping excess packets at network border routers, are not foolproof but may help alleviate the symptoms of Smurf type attacks. These methods are described in WinPlanet's Smurf Exploit page, and also in InterNIC rfc2267. If you suspect that you have been the victim of a Smurf attack, you may want to download the Smurf Logger, which will allow you to log future Smurf attacks (and other information, such as the broadcast address being used as the intermediary).
As with the Smurf attack, the Fraggle attack is particularly hard to defend against. Some suggestions include blocking broadcast UDP at the router, and perhaps blocking UDP at all terminal servers as well (to prevent malicious network users from flooding out the network). Read the Smurf information above for more information on router configuration tips and border router packet filtering techniques that may prove useful in defending against these types of attacks.
You can read more about the Smurf attack at Rootshell's Smurf page. Another good source of information is Craig A. Huegen's Smurf Whitepaper. Be sure to also to read the Smurf information in CERT Advisory 98.01.
For more information on the UDP Flood attack, see CERT Advisory 96.01.
To keep abreast of existing and emerging Denial of Service attacks, and other security threats, visit the Microsoft Security Advisor, the Windows Central Bug Site, CERT, and/or ircHelp. If information on a specific attack is not located on these sites, keep checking back as they are updated frequently.