This article discusses the problems related to packet flooding, types of floods,resolution, and links to sites with additional information on the subject. This article was taken from:
CVE 1999-0103 CVE 1999-0513
CVE 1999-0514

Your machine may be vulnerable to certain types of Denial of Service attacks (Fraggle, Smurf, Papasmurf, or UDP flood). These DoS attacks affect the entire network and may slow network activity to a crawl. Furthermore, the network can be used as an intermediary to launch attacks on other networks.
Note: The stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. Check the dot next to the link to this tutorial on the previous page to find out the actual severity level.

The Internet Control Message Protocol (ICMP ) is used to communicate general networking information between two hosts, such as whether or not a host is responding, or whether or not a packet reached its intended recipient. The User Datagram Protocol (UDP ) is used by various network services, such as rpc, DNS, and tftp, to transfer data across a network.
The Problem




CVE 1999-0513
The Smurf attack, and other attacks of this type, such as Fraggle and Papasmurf, form a category of network-level attacks against hosts. Smurf, and Smurf type attacks, begin when a hacker sends a large amount of ICMP echo (ping) traffic to a subnet broadcast address (say, for instance, - the 255 number marks this as a broadcast address). This traffic will have a spoofed return address. This spoofed address will be the address of the intended victim of the attack. When individual machines on the network receive the ICMP echo requests, they will reply with an echo reply. These replies will all go to the address spoofed in the original ICMP echo requests. On networks with a large number of systems, the traffic generated could be voluminous indeed. The system which is the victim of the attack (as indicated by the spoofed IP address) quickly becomes overwhelmed by incoming traffic, and will almost certainly lose connectivity to the Internet.

Actually, there are two victims of this type of attack when it is run: the network which is exploited to generate the ICMP traffic (called the intermediary, or "helper" network) and the system indicated by the spoofed IP address.




CVE 1999-0514
The Fraggle DoS attack is essentially based on the same concept as the Smurf attack (namely that generating huge amounts of network traffic will disable a machine or cause it to lose connectivity to the Internet), but uses UDP instead of ICMP. Although it is not as serious as some other attacks of this type, it will still generate a huge amount of network traffic.


UDP Flood


CVE 1999-0103

UDP Flood attacks exploit UDP services which are known to reply to packets. Here is how it works: a hacker is armed with a list of broadcast addresses, to which he/she sends spoofed UDP packets. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the chargen port (a port that generates a number of characters when queried). Sometimes a hacker is able to set up a loop between the echo and chargen ports, generating all that much more network traffic (this attack generally works on NT boxes).

The result of this attack is, as stated earlier, a massive amount of traffic on the network. Whole networks may crawl to a stop and individual systems may lose connectivity to the Internet and/or, in some cases, crash.

The key to protecting against, and suppressing these types of attacks, is to ensure that your network will not be used as an intermediary. This may be done by configuring routers to not allow IP directed-broadcast transmissions (on Cisco routers, use the "no ip directed-broadcast" interface command). All routers which provide routing to large multi-access broadcast networks, in other words LANs with more than 5 to 10 devices, should be configured in this way. This resolution is indirect, but is, at this point, the surest method for eliminating these types of attacks.
Unfortunately, there is no sure method for protecting against being the ultimate target for Smurf type attacks. For the Smurf attack, the surest and safest fix is to configure routers to turn away all incoming ICMP packets. Unfortunately, this will render several ICMP dependent services, such as ping and traceroute, unusable. Other router configuration methods do exist, and you may read about them in PSI's Filter configuration page. Other methods, such as ICMP filtering and dropping excess packets at network border routers, are not foolproof but may help alleviate the symptoms of Smurf type attacks. These methods are described in WinPlanet's Smurf Exploit page, and also in InterNIC rfc2267 . If you suspect that you have been the victim of a Smurf attack, you may want to download the Smurf logger , which will allow you to log future Smurf attacks (and other information, such as the broadcast address being used as the intermediary).

As with the Smurf attack, the Fraggle attack is particularly hard to defend against. Some suggestions include blocking broadcast UDP at the router, and perhaps blocking UDP at all terminal servers as well (to prevent malicious network users from flooding out the network). Read the Smurf information above for more information on router configuration tips and border router packet filtering techniques that may prove useful in defending against these types of attacks.

Where can I read more about this?
Visit Rootshell to read about the Fraggle and Papasmurf Denial of Service attacks. Also see the X-Force Advisory on Fraggle.
You can read more about the Smurf attack at Rootshell's Smurf page. Another good source of information is Craig A. Huegen's Smurf Whitepaper

. Be sure to also to read the Smurf information in CERT Advisory 98.01

For more information on the UDP Flood attack, see CERT Advisory 96.01.

To keep abreast of existing and emerging Denial of Service attacks, and other security threats, visit the Microsoft security advisor, the Windows central bug site , CERT , and/or ircHelp. If information on a specific attack is not located on these sites, keep checking back as they are updated frequently.

Hope this helps with packet flooding and this type of DoS attack.