Smurf Amplifier Finding Executive - FAQ

Google

Home | Credits | FAQ



1. Who or what on Earth is SAFE?

SAFE is described as feeling secure and protected from hard or danger. In today's internet world, where is this danger? One place it can lurk is on the borders of your network. Networks opening Directed IP broadcasts are being abused daily by crackers to take down other Internet sites. Last year we saw a spectacular display of this when major sites such as Yahoo.com were attacked, leaving them unreachable for days.
In our context, SAFE stands for "Smurf Amplifier Finding Executive". Safe is a voluntary organization established in mid-2001 to help Network Administrators identify Smurf Amplifiers in Europe.

2. What are Directed IP Broadcasts?

Computers communicate with each other across the Internet and many other public and private network using a protocol (a language) known as IP - Internet Protocol.
IP has a number of layers or communications methods under it, some of which you may have heard of. These some of these are TCP, UDP and ICMP. In our case it is ICMP that we will look at.
One of the things the ICMP protocol allows you to do is "ping" other hosts on a network. This involves sending one packet of information with the following data in it:
Your IP address : Destination IP address : ICMP type (echo request)
If your PC sent my PC a single packet like that, the result would be my PC sending a ICMP Echo Reply back to yours.
IP Broadcasts occur when the first or last IP address in your network range is pinged. A misconfigured router will forward this ping request to every machine on your network. The result here is every machine on the network replying to the single original packet.

3. So what is a Smurf attack?

A Smurf attack is simply an abuse of Directed IP Broadcasts. It involves spoofing the source address of the Ping / Echo request message, to that of an intended target. When machines on a network encounter this packet, instead of reply to the real packet sender the reply to the faked source address. This results in another party getting flooded with hundreds - or maybe thousands - or packets per second.
Oh, did I mention this can use up all of the availible bandwidth on an Internet connection from the party being used for their Directed IP Broadcasts?? If you allow Direct IP Broadcasts in this way, you are a Smurf Amplifier (you amplify Smurf attacks!)

4. What does SAFE do?

SAFE scans all of the networks in Europe, who are connected to the Internet. Our aim is to find Smurf Amplifiers in Europe, and alert network adminsitrators who manage those networks. To our knowledge no networks require allowing an external source to ping all the hosts on a network. Most network adminsitrators understand this, but may not realise they are acting as smurf amplifiers. If your network range appears in our scans please do not take it as an attack or insult. We're here to let you know that you're acting as a Smurf Amplifier!

5. How can SAFE help me or my network?

SAFE search out Smurf Amplifiers in Europe for two reasons: So you really have two choices. If you find your network on the SAFE lists, you can fix your network - which means you'll be removed within a few days. OR, you can choose to block IP addresses found on the SAFE lists. Soon we will be releasing the lists in ACL format for routers.

6. What do SAFE care how I run my network?

We do care. We care a lot. In fact, if you have any questions or are in need of any help for anything Denial of Service related, SAFE will do whatever we can to help. Just drop us an email at: safe@ircnetops.org

7. OK, You've convinced me - Now what?

So you want to fix your network? You have two choices! You can either go find the manual or website for your router, or you can try one of our links below. We make no guarantees that what we suggest will work, but we have obviously tried very hard to get accurate information to you! If you're in any doubt, double check with your manual or with your Manufacturer's website. If you know of any inforamtion that should be included here either above, or below, please drop us a mail at safe@ircnetops.org

*Chris's Disclaimer (applies to indicated 'How to disable Directed IP Broadcasts' elements):
I'm speaking about this as an interested party only. All text in this paper was written by me; I speak/write for no one but myself. No vendors have officially confirmed/denied any of the information contained herein. All research for this paper is being done purely as a matter of self-interest and desire to help others minimize effects of this attack.