::::::::::::::::::::::::::::::::::::::::::::::::::::::::Mar/99
::: The Discordant Opposition Journal ::: Issue 3 - File 6 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

 :the broadcast attack:
  cronus

Why Indeed?

  The Boardcast attack is an attack that comes from the Denial of
Service genre. I hear all your cries of 'No cronus, DoS is so bad'
but to be frank I amn't listening. So lets move on swiftly...

The What Attack?

  Broadcast. Broadcast. The attack is specially suited to taking
down servers or even networks. It involves the creation of spoofed
ICMP echo packets, or ping packets, with the spoofed source address
of the target. Sending our say 10 such packets to different networks
with the same spoofed source address will yeild dozens or possibly
even hundreds of ICMP echo reply packets. This mass flood of packets
can be enough to severly lag a server or take it offline.

Explain!

  Point and click example; 
  Imagine a harmless intermediary network of 100 hosts. The attacker
is conveniently sitting on a T1 connection. The attack begins by the
sending of a 768kb/s stream of ICMP echo (ping) packets, with the 
source address of the target, to the harmless network. All the ping
packets hit the intermediary's broadcast network of 100 hosts and each
of them responds individually to the packets. The effect is 1 packet
in and 100 out. Multiply this by the possible ammount of bandwidth, 
76.8 Mbps of out-bound traffic is created. All this traffic is sent 
to the target's address that was spoofed.

Oh My God!

  Fear not, there are some online tools to test your network for the
afore mentioned flaw;

http://www.netscan.org/ is a site that actively scans networks and mails
the administrators when a vulnerability is found.

http://www.powertech.no/smurf/ is a site which will test scan your
network and allow you to enter a known smurf amplifier site.

  Hosts can, under certain circumstances, be patched to refuse to
respond to broadcasted ICMP echo packets. RFC 1122, "Requirements for 
Internet Hosts -- Communications Layer", Section 3.2.2.6, states: 

   An ICMP Echo Request destined to an IP broadcast or IP
   multicast address MAY be silently discarded.

  The lack of a solid decision on the topic is based on the ongoing
debate between those who feel the ICMP echo is a valuable network
administration toold and those who feel that the misuse can be an
easy source of packet storms.
  Since the debate rages on, most IP stack implementors have chosen,
wisely in the authour's opinion, to reply by default to ICMP echo
packets. It is possible as mentioned above to silently disregard all
ICMP echo packets received and patchs to acheive this have been around
for awhile. Unfortunatly some services may require the full range of 
broadcast capabilities. Check before disabling the option.

That It?

  Yes that is it. I don't intend to supply source code, technical 
specifications or anything that would actually allow you to carry out
such a broadcast attack. Just the thought that it is remarkably easy
and should be consider a major worry.

References...

RFC-1122, "Requirements for Internet Hosts - Communication Layers";
  R.T. Braden; October 1989.

RFC-1812, "Requirements for IP Version 4 Routers"; F. Baker; June 1995.

RFC-2267, "Network Ingress Filtering: Defeating Denial of Service Attacks
  which employ IP Source Address Spoofing"; P. Ferguson, D. Senie;
  January 1998.

Defining Strategies to Protect Against UDP Diagnostic
  Port DoS Attacks 
  http://cio.cisco.com/warp/public/707/3.html

Cisco command documention to turn off directed broadcasts
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/cs/csprtn1/csipadr.htm#xtocid748113

3Com command documentation to turn off directed broadcasts
  http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/ip4.htm#190

3Com command documentation to disable source spoofing
  http://infodeli.3com.com/infodeli/tools/bridrout/u_guides/html/nb101/family/REF/firewal3.htm#1823


        ! All Hail Discordia !
       cronus (at) iol (dot) ie
  ___________  ____   ____  __ __  ______
_/ ___\_  __ \/  _ \ /    \|  |  \/  ___/
\  \___|  | \(  <_> )   |  \  |  /\___ \ 
 \___  >__|   \____/|___|  /____//____  >
     \/                  \/           \/ 
   http://www.rue-the-day.net/discordia
      http://homepages.iol.ie/~cronus