cancel
Showing results for 
Search instead for 
Did you mean: 

**smurf** attacks

N/A

**smurf** attacks

My 3Com wireless router (wireless is disabled) is suffering from smurf DOS attacks.

How do I raise this with plusnet? I cant find anywhere now, how I "ask a question". Everything points me to the help assistant, and all that gives me is a abuse@plus.net address, which I've already emailed.

What happened to the facility to raise a question via the website?

Anyway, back to the smurf attacks. The router is fine following a reboot, for 5 mins or so, then it dies and I have to turn it off and on again. The logs show the time/date then **smurf** then some IP addresses and (ATM).

How can I report these DOS attacks? How can I stop them? I have the firewall on, and I am blocking ICMP Ping replies.
17 REPLIES
N/A

**smurf** attacks

If you pretend you have a billing fault, and if you look closely enough you probably have, then it gets you through to a ticket raising page.
N/A

**smurf** attacks

Thanks flurble, ticket now raised. Hope I get an answer soon.
N/A

**smurf** attacks

or ring the sales number for new customers. They answer the phone immediatley and will put you through. I've used it in the past Cheesy
N/A

**smurf** attacks

This is an example

2006.07.01 01:32:54 **Smurf** 245.153.168.217, 21897->> 138.228.148.62, 7182 (from ATM Inbound)
N/A

**smurf** attacks

looks to me like you have "my web search" loaded in your browser.

Dispose of it!!!!!!!
N/A

Erm

What the hell are you talking about.

info on smurf attacks.

http://en.wikipedia.org/wiki/Smurf_attack

Quote
The smurf attack, named after its exploit program, is a denial-of-service attack which uses spoofed broadcast ping messages to flood a target system.

In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, all of it having a spoofed source address of the intended victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, potentially hundreds of machines might reply to each packet.

Several years ago, most IP networks could lend themselves thus to smurf attacks -- in the lingo, they were "smurfable". Today, thanks largely to the ease with which administrators can make a network immune to this abuse, very few networks remain smurfable. [1]

To secure a network with a Cisco router from taking part in a smurf attack, it suffices to issue the router command no ip directed-broadcast .
N/A

**smurf** attacks

Have you tried disabled the logging? maybe the logfile is causing a problem too.
N/A

**smurf** attacks

i have been seeing that smurf attack lately as well
tumnus
Grafter
Posts: 104
Registered: 19-08-2007

**smurf** attacks

I have the 3Com modem too and I get Smurf atttacks fairly frequently, however it could just be the modem misdiagnosing missent/corrupt packets as much as real attacks.

When you say you're under attack, how many Smurf attacks do you see in the log every minute or hour?

Have you also upgraded to the latest firmware? I think the latest version is 2.06 and is much improved over previous version.
N/A

**smurf** attacks

Hi cpinkey

I am running the latest firmware off the 3com site.
I get quite a few attacks, but they only seem to start when I go on line. The box is not set to disconnect. It is on a timer switch to save power. It is turned off at 11pm and back on again at 7pm. I typically go on line from 8pm and thats when the fun and games start.

I can sometimes surf for 10-15 mins before anything happens. Other times I can only use it for 2-3 mins. Each time I have to restart or power off-on the 3com. The status page says ADSL is Connected, but I loose all internet connectivity.

This all seems to have started on 06/06/2006 which is when I noticed I'd been upgraded to 2.2Meg from 1Meg. I'd been having all manner of problems since June, but I only just twigged that the smurf attacks coincide.

Should I ask to change my static IP address to a different one? Or is the 3com bin fodder?
tumnus
Grafter
Posts: 104
Registered: 19-08-2007

**smurf** attacks

The Smurf attacks could be a complete red herring. It sounds like you have been upgraded to MaxDSL and that is the cause of your problems. Could you post some of your log when the connection drops, making dure there's no sensitive info in it, please?

Also what are the values in the Operational Data section under Status and logs->ADSL Status?
N/A

**smurf** attacks

Heres the response from tech support. Looks like I've got to contact the ISP of the people attacking my IP address. . . . .


Link:CUAremoved CSC Agent 10:49pm, Friday 14th July 2006

Dear Mr Blackwell,
If these attacks are happening constantly, I would suggest that you report these to the relevent abuse departments for the owners ISPs. There is little we can do at the perimiter of our network to block these without affecting other legitimate services.

Regards,
Link:CUAremoved

-------------------------------------------------


SO, how do I identify the other ISP's?

Here are some more from todays logs.
2006.07.01 13:28:33 **Smurf** 250.76.71.58, 0->> 187.77.136.45, 0 (from ATM Inbound)
2006.07.01 13:23:13 **Smurf** 244.113.108.196, 0->> 16.136.110.142, 0 (from ATM Inbound)
2006.07.01 13:20:52 **Smurf** 242.105.175.242, 28273->> 48.2.5.148, 50660 (from ATM Inbound)
2006.07.01 12:51:55 **Winnuke** 84.0.189.146, 25678->> 84.92.60.72, 139 (from ATM Inbound)

When the router stops, it just stops. Nothing else in the logs to give a reason why. Maybe it is just the MAXDsl symptons after all... If thats the case, then I've been suffering since 6/06/2006 with no fix on the horizon
tumnus
Grafter
Posts: 104
Registered: 19-08-2007

**smurf** attacks

Are there more attacks inbetween those? If not then those aren't all that frequent and shouldn't be causing a denial of service.

What are all the versions numbers in the General Information section on the page 'Status and logs' of your modem?

Also what are the values in the Operational Data section on the page 'Status nad logs->ADSL Status'? A low value (less than 6db) for the downstream noise margin might be indicative of MaxDSL problems, but you can get BT to increase the target noise margin to give more of a buffer so the connection remains stable.
N/A

**smurf** attacks

I've been loaned a Draytech Vigor 2600 router, and its not missed a beat.
No DOS attacks, no dropouts, its now on line 15 hours a day, with no issues whatsoever.

So, no problems with MaxDSL, or BT, or smurf attacks. Happy bunny now.
2.3MB downstream, and 480KB upstream, excellent.

The 3com is going back under warranty, and I'll probably get a Draytech for myself. Very impressed.

Thanks for all the assistance.