mziemba
join:2003-12-06
|  Please Prove My Father Wrong!
ok before anyone says anything, my father and I openly hate each other. I don't need any "family counceling" or anything I am already seeing a shrink and he even agrees with me my father is a complete control freak.
------
OK tonight we got hit with a smurf attack. It comes through my IP on the network (I for some reason am ALWAYS the one that is the target for these attacks)
So the network goes down for 5 minutes.
Now my dad is all pissed off be cause I'm visiting all of these sites that are hacking into me. Yes you read that right. By simply visiting a website I can be hacked because of the cookies. Cookies can do EVERYTHING according to my dad.
No matter how many times I tell him it's not how it works, he doesn't believe me. Even I know that visiting a site that isn't constantly monitored or run on a 100% private server has NO chance of hacking into our network and initating a SMURF attack.
If that's not sad enough he think's SMURF is a person.
I'm going to all of these rouge sites. Of cource about 90% of them, are about wrestling, or anime, or comics, or cartoons.
Of cource that is more that he's mad that I'm 20 years old and I still watch cartoons. But that's not the point.
Please I need some information to shut him up once and for all on this and how aI can stop these "smurf" attacks from happening to our network.
We're running an SMC router (I an't remember the model)
(P.S. I'm willing to bet anyone $100 when I show him this he'll say "See you just gave out more of our information. you told them our router and now they can do more hacking!") |
|
snoop69
join:2003-04-19
Cornwall, ON | here is something your dad can read about smurf attacks, »www.cert.org/advisories/CA-1998-01.html hopefully you can get some piece of mind.:) |
|
norky
Premium
join:2002-12-02
Lithia, FL
1 edit | reply to mziemba
there's not much you can do to stop a smurf
perhpas he'll beleive CERT? »www.cert.org/advisories/CA-1998-01.html
DOH! beaten to the punch! |
|
pcscdma
Chocobo Chocobo Random Battle
Premium
join:2004-01-14
Winterset, IA
clubs:
| reply to mziemba
Are you the intermediate or the spoofed target of the SMURF? If you are the intermediate you can get a router or software that filters those packets. Cookies don't generate specially crafted ICMP packets. The web server that you are using could be set up to automatically use your IP for a SMURF. The web server needs your IP to SMURF and it needs your IP to send you the pages.
You could just have a popular IP address.
--
Be patriotic or I'm reporting you to Ashcroft. |
|
mziemba
join:2003-12-06
| reply to pcscdma
Re: Please Prove My Father Wrong!
I'm not really sure what you mean when you say "intermediate or spoofed target"
My Network address is the one that the SMURF attack goes to and there by floods the network slowing it to a snails pace.
Some, if not Most, of the places that I visit are not run by people that would run SMURF. |
|
Qumahlin
Never Enough Time
Premium,MVM
join:2001-10-05
united state
| said by mziemba  :
I'm not really sure what you mean when you say "intermediate or spoofed target"
My Network address is the one that the SMURF attack goes to and there by floods the network slowing it to a snails pace.
Some, if not Most, of the places that I visit are not run by people that would run SMURF.
Do you use IRC or such? I ask because Smurf is not some random attack..If someone is lauching a Smurf attack against you...repeatedly...then you did something to piss them off.
--
Forum Posts:4326 |
|
x539
join:2003-08-23
Oklahoma City, OK
| reply to mziemba
I suspect that what you're seeing is not a "smurf attack" at all. Reason being that this is a very old-school attack, and it's pretty hard to pull it off effectively any more. The reasons this attack used to be successful are:
1. Windows machines used to reply to ICMP ECHO directed to the broadcast address. They haven't for several years. Note: Most Linux/UNIX machines in default configuration will. In Linux adding "net.ipv4.icmp_echo_ignore_broadcasts = 1" to sysctl.conf will stop this.
2. Most people used slower connections. It takes a whole lot more pings to knock someone off a broadband connection than off a 28.8 dialup.
What I think is more likely is that your router assumes that all x.x.x.0 and x.x.x.255 IPs are network/broadcast addresses, and classifies packets coming from these hosts as smurfs. That is not necessarily the case though, as those addresses are dependent on the size of the subnet. For example, the address 10.1.4.255 is not a broadcast address on a 10.1.0.0/16 network.
As far as why the network "goes down", it would appear that way if you were waiting for packets from a host that your router was eating because it thinks its an attack.
It's possible that you really are the victim of a smurf attack, but I would say that it's highly improbable  |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to mziemba
said by mziemba :
Some, if not Most, of the places that I visit are not run by people that would run SMURF.
Some if not most - This in itself should be a red flag that you may be driving in questionable neighborhoods, so to speak. With that in mind, the ICMPs could be caused by just about anything from connection to game servers to P2P setups, IRC and so on.
We don't know what security settings, tools, apps, AV/AT/firewall products you are using, let alone how current they are or if you bypass them them to "install this viewer to see the movie" or similar prompt. We don't even know what operating system(s) or how many PCs are involved.
With that in mind, it's hard to determine with any confidence what could cause your problem. It could even be as simple as a bad connection or NIC and the "smurfs" reported in logs could be entirely unrelated.
My recommendation is to review the security FAQs, particularly »Security »How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach: and »Microsoft Application Tips and Tweaks »Concerning Internet Options Security, what do some of the settings mean if you are using IE.
If you're playing in the street or 'hood, become streetwise or prepare to get run over or ripped off occasionally.
--
Eschew obfuscation |
|
Jason Levine
Premium
join:2001-07-13
Albany, NY
| reply to mziemba
said by mziemba :
Now my dad is all pissed off be cause I'm visiting all of these sites that are hacking into me. Yes you read that right. By simply visiting a website I can be hacked because of the cookies. Cookies can do EVERYTHING according to my dad.
Let me guess: He probably thinks that sites can also read your e-mail address via cookies and then spam you.
It really is a shame that people overreact so much to cookies. They really aren't much of a threat. The worst that can be done with cookies is that a banner ad network can track which sites you've been to via 3rd party cookies. Disable 3rd party cookies or delete their cookies, and all that information is lost.
As far as hacking "through" cookies goes, cookies are just plain text files. A website (for example, BBR) will store a cookie on your hard drive containing some information (for example, your username/password) that it will need later. This information is stored in plain text and can only be accessed by the website that stored it. (Security holes notwithstanding.)
Any hacker that is trying to gain access to your system won't do it by writing a small text file to your computer. They'll do it by trying to get you to run a program, become infected with a virus/worm, visit a site with malicious ActiveX content, or exploit a security hole that you haven't patched. Cookies are useless for hackers attempting to gain entry. Of course, once a hacker gains access to your system, all bets are off and they might read your cookies to get some personal information that is stored there.
said by mziemba :
(P.S. I'm willing to bet anyone $100 when I show him this he'll say "See you just gave out more of our information. you told them our router and now they can do more hacking!")
I won't take that bet. I know about controlling fathers who don't know much about technology. (Or rather, know just enough terminology to be dangerous.)
I agree that any information that you show him will be quickly written off as not proving him wrong. I'm a big proponent for educating users who don't know much, but, unfortunately, there are some people in this world that you just can't reason with. They think they know everything there is to know and any evidence to the contrary must be mistaken. With these folks, it's sometimes best just to either nod and then do your own thing. Either that or have some fun with their mis-understanding of technology. ("Yes, it turns out that the hacker tried to come in through the cookie, but luckily I was able to inject some JavaScript into his system via the TCP port in the nick of time." )
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ |
|
dp
Premium,MVM
join:2000-12-08
Greensburg, PA
 ·Verizon Online DSL
| said by Jason Levine :
.... With these folks, it's sometimes best just to either nod and then do your own thing. Either that or have some fun with their mis-understanding of technology
I find the head nod works best for me 
--
Write your questions down on the back of a $20 dollar bill and send them to me |
|
BurntCricket
Gotta Do What Ya Gotta Do
Premium
join:2000-09-02
Here
clubs:
1 edit | reply to mziemba
Are you sure its SMURF attack ?? I am leaning more to something on YOUR system since it seems to be the target(source).
--
The only vote that's wasted is one that isn't cast.
|
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
1 edit | reply to mziemba
»www.google.com/search?hl=en&ie=U···+testing
Why not just have your father test your setup for himself. Google has a list of many sites that will allow you to test your setup. To see if in fact it is secure from most exploits.
--
Test Your Security
Team Z Member
Cable Modem Diagnostics |
|
mziemba
join:2003-12-06
| reply to mziemba
It is a SMURF attack.
It says it on the Logs "SMURF" is the one going to my address and flooding it resulting in the network going down for several minutes.
Your also not going to believe this but my Dad works for an ISP.
Yes. He even works in the industry and doesn't know jack about it. |
|
mziemba
join:2003-12-06
| reply to EGeezer
Some if not most - This in itself should be a red flag that you may be driving in questionable neighborhoods, so to speak. With that in mind, the ICMPs could be caused by just about anything from connection to game servers to P2P setups, IRC and so on.
I run IRC but I have never never pissed any individual off and keep only 2 ports open (Used by the Invision script I have inconjunction with my firewall).
Like I said most of teh sites are run by professional individuals. www.toonzone.net, www.voltron.info, www.lordsofpain.net, www.puroresupower.com, www.puroresufan.com, and gamefaqs.com are my most visited sites. And about half the time that's about all I do online.
We don't know what security settings, tools, apps, AV/AT/firewall products you are using, let alone how current they are or if you bypass them them to "install this viewer to see the movie" or similar prompt. We don't even know what operating system(s) or how many PCs are involved.
Router is an SMC7008ABR with, as far as I know a default set up (I am not permitted to access anything in the router because I attempted to use the Port Forwarding for BitTorrent.)
I think we're running the standard factory settings Firewall out of that (Like I said, I'm not allowed to check myself, and even with my father present I'm not allowed to look arround without him watching and asking me what I'm doing and belittling me the entire time. And I'm the only one that is running a personal firewall on a PC hooked up to the network (Zone Alarm Pro). The firewall on my PC NEVER goes off when someone is attempting to get into is. I have it set to block any and all incoming information unless I say it's ok, and still have never seen anything.
The Network consists of 2 PC's running Windows 2000, one running ME (mine), one running XP professional, and a Playstation 2 (Which half the time isn't hooked up to the network)
The SMURF's in the logs are from other people, but they are spoofing the IP address. I've had atleast 2 that have come from the University of Nebraska, and yes we've contacted them and they have said there is no one hooked up to the addresses (yes plural) that were SMURFing us. |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
1 edit | "And I'm the only one that is running a personal firewall on a PC hooked up to the network (Zone Alarm Pro). The firewall on my PC NEVER goes off when someone is attempting to get into is. I have it set to block any and all incoming information unless I say it's ok, and still have never seen anything."
You shouldn't see anything incoming with the software firewall. If the router is setup properly. It would seem it is - since your not seeing any alerts with the software firewall. You should see alerts when programs want access out for the 1st time etc. The router should be handling anything that is incoming before it has a chance to even reach the software firewall.
--
Test Your Security
Team Z Member
Cable Modem Diagnostics |
|
Dingleberry
join:2001-04-29
532xx | reply to mziemba
So are you being attacked by a pink smurf?
Or is it a smurf wearing makeup?
Or is it smurfette? Personally I always thought she was kinda cute....
I'm so confused.... |
|
bluezanetti
Premium
join:2003-10-04 | reply to mziemba
Following on x539's comment...., have you checked »Barricade's See x.x.x.0 / x.x.x.255 as Broadcast. out? It may be relevant to your problems....
Blue |
|
BurntCricket
Gotta Do What Ya Gotta Do
Premium
join:2000-09-02
Here
clubs:
·RoadRunner Cable
1 edit | reply to Dingleberry
said by Dingleberry :
So are you being attacked by a pink smurf?
Or is it a smurf wearing makeup?
Or is it smurfette? Personally I always thought she was kinda cute....
I'm so confused....
I always wondered about Smurfette >> one female among MANY males. Smurfette is kinda HOT in a Smurfy way.
--
The only vote that's wasted is one that isn't cast.
|
|
shelf life
join:2002-02-20
Baton Rouge, LA
| reply to mziemba
said by mziemba :
We're running an SMC router (I an't remember the model)
dont know what smc router you have, i see smurf attacks sometimes in my log. (SMC barricade)
"When the SPI (Stateful Packet Inspection) firewall feature is enabled, all packets can be blocked. Stateful Packet Inspection (SPI) allows full support of different application types that are using dynamic port numbers. For the applications checked in the list below, the Barricade will support full operation as initiated from the local LAN.
The Barricade firewall can block common hacker attacks, including IP Spoofing, Land Attack, Ping of Death, IP with zero length, Smurf Attack, UDP port loopback, Snork Attack, TCP null scan, and TCP SYN flooding." |
|
