The Internet Engineering Task Force is
requesting comments on its April proposal to re-craft RFC1122 designed
to help network administrators reduce the use of Smurf amplifications in
distributed denial of service attacks.
The IETF work-in-progress proposes that in addition to standards set by RFC1122, Internet service provider technicians should augment ingress filtering. The proposal is designed to specifically limit the use of
broadcasting over local area networks when an intruder unleashes a DDoS attack.
The solution suggested by RFC2644 is for
routers only, while the proposed solution is intended for end-nodes. If
DDoS Smurf attack is generated using local broadcast, the solution won’t
prevent the attack.
An Internet Control Message Protocol is a message control and
error-reporting protocol between a host server and a gateway to the
Internet. ICMP uses Internet Protocol datagrams, but the messages are
processed by the IP software and are not directly apparent to the
application user.
It remains a sticky situation for network administrator’s attempting to
determine whether a LAN broadcast is legitimate, or forged.
A Smurf attack is initiated by sending an ICMP Echo Request packet to an IP
directed broadcast address. The source IP address is the e-mail of the
victim. All the machines from the destination network respond back with an
echo reply to the victim, thus generating a Smurf denial-of-service attack.
Recent denial-of-service attacks have illustrated that such action can be
readily taken from single entry point against many remote networks. The
impact of malicious code writers on computers is well known. In one of the
most brazen DDoS attacks earlier this year, hackers bombarded Yahoo Inc. , and
others with millions of messages that led to server crashes.
The IETF proposal recommends that each router impacted by a Smurf attack be
disabled and set up to receive the directed broadcast by default. Each host
may discard an ICMP Echo Request destined to an IP broadcast through human
intervention with the LAN. Internet service provider routers should
implement ingress filtering to prevent forged data packets from leaving
their network boundaries.
The general practice would provide a redundant barrier to Smurf attacks.
Each operating system can choose either to respond or not to respond to
broadcast ICMP Echo Request.
The latest DDoS attack changes the way of generating the Smurf attack. In
this scenario, the attacker compromises a system within a network and uses
that entire network to launch an attack against another network destination.
The problem remains that such tactics do not travel through a router, so
the proposed solution does not stock the attack. All the machines in the
network which do not discard broadcast ICMP packets will respond back with
an ICMP Echo Reply to the victim, which generates a DDoS Smurf attack. In
this instance, ingress filtering on the part of ISPs does not help prevent
the service disruption.
All the same, the proposal would stop one form of LAN-based attacks. While
the IETF work-in-progress is scrambling to prevent future attacks, the
group is currently seeking comments of the new draft.
