SMURF Attack

[silverback]

My ISP performance today has been terrible. Looking at the router Security Log (whose messages, unfortunately, mean nothing to me) I can see lots of Smurf messages like this (My hyphens in the IP addresses)
**Smurf** 1--.2--.255.255->> 1-.2--.2--.2-, Type:3, Code:3 (from ATM1 Outbound)

Questions.
Does this mean my router is under attack?
Is it stopping any attack?

Looking at Wikipedia, I found a page about Smurf attacks which contained within it this info :

The fix is two-fold:
Configure individual hosts and routers not to respond to ICMP requests or broadcasts.
Configure routers not to forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default, but, in that year, the standard was changed to require the default to be not to forward

How do I do what is recommended on my router, please?
Thanks
Silverback

[mishmish3000]

A smurf attack is an exploitation of the Internet Protocol (IP) broadcast addressing to create a denial of service. The attacker uses a program called Smurf to cause the attacked part of a network to become inoperable. The exploit of smurfing, as it has come to be known, takes advantage of certain known characteristics of the Internet Protocol (IP) and the Internet Control Message Protocol (ICMP). The ICMP is used by network nodes and their administrators to exchange information about the state of the network. ICMP can be used to ping other nodes to see if they are operational. An operational node returns an echo message in response to a ping message.

The smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.

One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. This is one of several suggestions provided by the CERT Coordination Center.

http://searchsecurity.techtarget.com/de ... n/smurfing" onclick="window.open(this.href);return false;

Does that help at all? It sounds like if you disable IP broadcast addressing at your router, it'll be better. Not sure, though.

[Argus]

Depends on your router.

The default setting nowadays is to disable ICMP traffic, among them ping, but it's possible that it is enabled.

One can see different log entries without taking a performance hit, but in your case it seems like you have.

Here's an old post mentioning it, and a link, to among other, that wiki article.

How do I do what is recommended on my router, please?

Which model you have?

[silverback]

Which model you have?

Sorry I haven't replied earlier; thanks to you both for your replies.

The router was supplied by my ISP and so is branded as theirs - I can't find any other identification.
It's a TalkTalk router, model SNA5630NS/05 - if that helps!

I've had a look at the router settings and found a section about Denial of Service. I've attached a picture of the relevant bit.
Are the settings OK as they are?

Many thanks
Silverback

[mishmish3000]

Does your ISP provider have any guidance on their router? Or the problem you're experiencing? Is it still going on, do you think?

[Argus]

The router is probably a Philips. Your ISP should be able to guide you since they have put their name on it; they can't escape from that.

See this page, it has the default settings, I think (though it probably should be ... philips ... you can tell the folks at TalkTalk ): http://www.phillips.talktalk.net/firewall_spi_h.html" onclick="window.open(this.href);return false;

Since it has been known for so long I wonder if this still happens, that networks take part in a Smurf attack. The "Discard ping to WAN interface", that you probably will find at the same page in the router settings, i.e. Security > Firewall > Intrusion Detection, is the one I mentioned earlier in the old post, it will stop the router from responding to ICMP Echo Request packets, so it will not take part in an attack. I would not touch the settings you posted, I think they are the default, or close to the default; but it possible that they can be tweaked a bit to change the router's behaviour.

Back to your original post; you mentioned lots of "Smurf messages" in the log; how often did you see these? I wonder if the router has identified it correctly or if it's something else. I understand that seeing multiple log entries at same time as a slowdown in the Internet connection might seem suspicious.

Is the first part of the IP address you mentioned above 169? I.e. 169.254.255.255, then it's an "auto-configured" address for a device that can't access a DHCP. In a smurf attack, as I understand it, the source address of the Echo Request packets has been forged, not those responding, sending the Echo Reply; it looks odd. Have you connected other devices to your router recently?

Anyhow, in case of a Smurf attack, as a victim it is not much one can do, but to contact one's ISP. In this case, even if it isn't a smurf attack, I think it would be a good idea to call your ISP.

[stuck]

The router was supplied by my ISP and so is branded as theirs - I can't find any other identification.
It's a TalkTalk router, model SNA5630NS/05 - if that helps!

Google told me this is a Philips router:
http://help2.talktalk.co.uk/broadband-w ... d-software

Ken