Net Still Wide Open to Smurfing

This week marks the six-month anniversary of February’s denial of service
attacks that paralyzed several high-profile Internet sites.

While many
system administrators have since beefed up their defenses to prevent such
packet floods, a new survey reveals there are still tens of thousands of
networks wide open.

In the latest Internet scan by Project Gargimel, more than
100,000 machines were found to be exploitable as hosts for Smurf attacks. In
such denial of service attacks, an attacker pings or sends packets to a
vulnerable amplifier site, with a spoofed or bogus return address. If the
server is misconfigured to answer the requests, it can become an unwitting
complicitor in a DoS attack on a third-party site.

According to its survey completed Aug. 8, Project Gargimel found 125,102
networks which allow these Open IP Directed Broadcasts. Among them are
machines operated by companies including PSINet
and Southwestern Bell Internet, as well as
the State of South Carolina and Arizona State University.

Atop the list of potential Smurf amplifiers is one operated by Aller, a Norway-based publisher of consumer
magazines. According to the survey, the Aller network is set up to reply
with 10,545 responses to any ping request.

“Should they have enough bandwidth, if you send them a 1-kilobyte stream,
you would get 10.545 megabytes back. That’s what makes Smurfs so
dangerous — the multiplication factor,” said Craig Huegen, an independent
security consultant and the author of a respected white paper on Smurf attacks.

Huegen, who is not affiliated with Project Gargimel, said the number of
vulnerable networks has increased since an earlier survey prior to the major
denial of service attacks last spring. However, the number of networks like
Aller’s which return hundreds or thousands of packets has decreased.

One reason for this positive trend, according to Huegen, is that knowledge
about defending against Smurf attacks is spreading among system
administrators. Another is new policies by router makers such as Cisco which
have begun setting the default configuration of their software to prevent
Smurf attacks. Still, the sheer number of networks on the latest survey
shows the industry still has work to do.

“If you haven’t updated your software or you don’t know about the problem,
your network could go down some day because some kid is redirecting traffic
at a victim. I still have people tell me, after I’ve alerted them to the
problem, `I wondered why my network was slowing down,'” said Huegen.

Near the top of the list of Gargimel’s most-vulnerable networks is one
operated by the Utah Education Network, an
electronic consortium of public schools, universities, and television
stations in that state.

Troy Jessup, system security administrator for UEN, said he was not
surprised to learn that one of its machines was a prime launching pad for
Smurf attacks.

“We’ll definitely look into it. We strive to keep our infrastructure up to
date and secure, but once it’s in the hands of a local high school for
instance, there’s only so much we can do, because we’re just the Internet
service provider for them,” said Jessup.

While education may be the best defense against Smurf attacks, shaming
system administrators into closing vulnerable networks may backfire,
according to Huegen. “I worry that publishing a list of sites mainly
benefits the bad guys,” he said.

Brian Gemberling, the author of Project Gargimel, was not available for
comment Friday. A note

at his site says he will remove networks from the
list once they notify him that they’ve fixed their security problems.

News Around the Web