ICMP type 11 and Smurf Attacks???

[Troy11277]

Can anyone tell me if allowing type 11 ICMP (time exceeded) to a network will make it vulnerable to Smurf Attacks? I know that Smurf Attacks use echo/icmp, but is it possible to do one with type 11? I am going through our IDS' events and we have seen some possible Smurfs. I am not vulnerable to echo/icmp, but I just wanna double check on type 11. Thanks in advance.

[g00n]

I don't believe so, type 11 would just allow your network to respond sooner to down sites and make it possible for you to traceroute an address...

not neccessary, but it all depends on how scared you are that little blue men are going to come interfere with your network cables..

[nebulus200]

As far as I know, this would have no effect on a smurf attack. The smurf attacks work by spoofing the source of the ICMP echo request (type 8) to be directed at the network ID or network broadcast of some other range. Then every machine on that network, unless precautions have been made, will obligingly respond to the echo request with an echo reply (type 0, code 0) to the source (which is spoofed). In this case, the spoofed source is the victim of the smurf attack.

Aside from blocking ICMP type 8 and type 0 from your gateways, you can also configure your switches/routers (at least in cisco) with a no directed broadcast statement...

So, while you would probably be protected from a smurf attack, there are reasons why you would want to block time exceeded (TTL expired), the primary one being this is what traceroute uses to map network hops...and can potentially be used by things like firewalk to map out firewall rules...

As a general rule, I would suggest blocking all ICMP at your gateways (except for maybe your ISP to ping your router), and then allow ICMP internally, but making sure to not allow directed broadcasts (which is what smurf is doing).

Hope that helps,

/nebulus