Amplification attacks – Amer Networks E5Web GUI User Manual

•

By stripping the URG bit by default from all TCP segments traversing the system. This is
configurable in the Web Interface by going to:
System > Advanced Settings > TCP Settings > TCP URG.

WinNuke attacks will usually show up in cOS Core logs as normal drops with the name of the IP
rule that disallowed the connection attempt.

For connections allowed through the system, "TCP" or "DROP" category (depending on the
TCPUrg setting) entries will appear, with a rule name of "TCPUrg". The sender IP address is not
likely to be spoofed; a full three-way handshake must be completed before out-of-band
segments can be sent.

6.6.7. Amplification Attacks

This category of attacks all make use of "amplifiers": poorly configured networks who amplify a
stream of packets and send it to the ultimate target. Historical examples of this include Smurf,
Papasmurf and Fraggle.

The goal with these attacks is excessive bandwidth consumption. That is to say, consuming all of
the victim's Internet connection capacity. An attacker with sufficient bandwidth can forgo the
entire amplification stage and simply stream enough bandwidth at the victim. However, these
attacks allows attackers with less bandwidth than the victim to amplify their data stream to
overwhelm the victim.

•

"Smurf" and "Papasmurf" send ICMP echo packets to the broadcast address of open networks
with many machines, faking the source IP address to be that of the victim. All machines on
the open network then "respond" to the victim.

•

"Fraggle" uses the same general idea, but instead using UDP echo (port 7) to accomplish the
task. Fraggle generally gets lower amplification factors since there are fewer hosts on the
Internet that have the UDP echo service enabled.

Smurf attacks will show up in cOS Core logs as masses of dropped ICMP Echo Reply packets. The
source IP addresses will be those of the amplifier networks used. Fraggle attacks will show up in
cOS Core logs as masses of dropped (or allowed, depending on policy) packets. The source IP
addresses will be those of the amplifier networks used.

Avoiding Becoming an Amplifier

Even though the brunt of the bandwidth stream is at the ultimate victim's side, being selected as
an amplifier network can also consume great resources. In its default configuration, cOS Core
explicitly drops packets sent to broadcast address of directly connected networks (configurable
via System > Advanced Settings > IP Settings > DirectedBroadcasts). However, with a
reasonable inbound policy, no protected network should ever have to worry about becoming a
smurf amplifier.

Protection on the Victim's Side

Smurf, and its followers, are resource exhaustion attacks in that they use up Internet connection
capacity. In the general case, the security gateway is situated at the "wrong" side of the Internet
connection bottleneck to provide much protection against this class of attacks. The damage has
already been done by the time the packets reach the gateway.

However, cOS Core can help in keeping the load off of internal servers, making them available for
internal service, or perhaps service via a secondary Internet connection not targeted by the
attack.

Chapter 6: Security Mechanisms

483