RealTime IT News

Net Still Wide Open to Smurfing

This week marks the six-month anniversary of February's denial of service attacks that paralyzed several high-profile Internet sites.

While many system administrators have since beefed up their defenses to prevent such packet floods, a new survey reveals there are still tens of thousands of networks wide open.

In the latest Internet scan by Project Gargimel, more than 100,000 machines were found to be exploitable as hosts for Smurf attacks. In such denial of service attacks, an attacker pings or sends packets to a vulnerable amplifier site, with a spoofed or bogus return address. If the server is misconfigured to answer the requests, it can become an unwitting complicitor in a DoS attack on a third-party site.

According to its survey completed Aug. 8, Project Gargimel found 125,102 networks which allow these Open IP Directed Broadcasts. Among them are machines operated by companies including PSINet and Southwestern Bell Internet, as well as the State of South Carolina and Arizona State University.

Atop the list of potential Smurf amplifiers is one operated by Aller, a Norway-based publisher of consumer magazines. According to the survey, the Aller network is set up to reply with 10,545 responses to any ping request.

"Should they have enough bandwidth, if you send them a 1-kilobyte stream, you would get 10.545 megabytes back. That's what makes Smurfs so dangerous -- the multiplication factor," said Craig Huegen, an independent security consultant and the author of a respected white paper on Smurf attacks.

Huegen, who is not affiliated with Project Gargimel, said the number of vulnerable networks has increased since an earlier survey prior to the major denial of service attacks last spring. However, the number of networks like Aller's which return hundreds or thousands of packets has decreased.

One reason for this positive trend, according to Huegen, is that knowledge about defending against Smurf attacks is spreading among system administrators. Another is new policies by router makers such as Cisco which have begun setting the default configuration of their software to prevent Smurf attacks. Still, the sheer number of networks on the latest survey shows the industry still has work to do.

"If you haven't updated your software or you don't know about the problem, your network could go down some day because some kid is redirecting traffic at a victim. I still have people tell me, after I've alerted them to the problem, `I wondered why my network was slowing down,'" said Huegen.

Near the top of the list of Gargimel's most-vulnerable networks is one operated by the Utah Education Network, an electronic consortium of public schools, universities, and television stations in that state.

Troy Jessup, system security administrator for UEN, said he was not surprised to learn that one of its machines was a prime launching pad for Smurf attacks.

"We'll definitely look into it. We strive to keep our infrastructure up to date and secure, but once it's in the hands of a local high school for instance, there's only so much we can do, because we're just the Internet service provider for them," said Jessup.

While education may be the best defense against Smurf attacks, shaming system administrators into closing vulnerable networks may backfire, according to Huegen. "I worry that publishing a list of sites mainly benefits the bad guys," he said.

Brian Gemberling, the author of Project Gargimel, was not available for comment Friday. A note