Intruders?

[Chris Belwinds]

My router keeps telling me I have "SYN Flood" attacks every now and then but I believe that is harmless. They normally look like this:

01/04/2005 12:30:58 **SYN Flood to Host** 192.???.?.10?, 1283->> 205.188.250.25, 80 (from PPPoE Outbound) - ? = real digits are hidden!

However, a few days ago I had the following strange occurence:

01/04/2005 02:19:31 **Smurf** 210.193.105.255, 28619->> 80.129.159.21, 1026 (from PPPoE Inbound)

Apparently someone ("Smurf"?) has been inside our network (PPPoE Inbound), right? Can anyone explain to me what this is all about, please? Even though I feel rather safe behind two walls - router and Mac OS X - I wish to know what is going on.

 

[Chris Belwinds]

No network gurus here?

 

[symphonix]

A google for the term "Network Smurf" turned up something that I had suspected: it is a common hacking tool.
The most comprehensive info I could find was here: http://www.pentics.net/denial-of-service/white-papers/smurf.cgi

It reads:

A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function noted below, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts
responding. On a multi-access broadcast network, there could potentially
be hundreds of machines to reply to each packet.

However, first of all because this is a PPPoE inbound request, not an outbound request, I doubt it is on your own network. A real network guru would be able to tell you more.
Basically, they send out a whole lot of ping requests to a huge number of machines, giving a fake return path. These requests then all come flooding back in to one particular target that the attacker wants to disrupt service on.
Its most likely your network was one of the "huge number of machines" and not the target.

 

[G4Mystic400]

Someone tried a denial of service attack on you. Smurf is a distributed form of DoS that uses a SYN/ACK on your router. Either you pissed someone off, or you're just unlucky right now. I wouldn't worry too much about it. Try to disable external ping responses, that will help tremendously. If you don't have that option, LinkSys does. And if it isn't even causing any problems (it is kind of difficult to properly setup to be harmful), just do what everyone else does: report the IP to their ISP and get them booted.

-James

 

[scruffy]

Actually, someone was trying to use your router in an attack against someone else - the destination was the broadcast address of your external interface. At worst, you contributed slightly to a DoS against someone else; but if your router caught it, then probably not. Don't worry much about the inbound stuff - that's what you have a router/firewall for.

It's the outbound stuff you should worry about. Did you, or someone on your network launch those synflood attacks? If not, could it be there's someone running programs on your systems that you don't know about?

Do you have inbound access of any sort (ssh or anything else) on your router? If not (good), then you might want to consider turning off all outbound access for a little while (during a time you don't need to use the net, obviously), and watching your router's logs. See if you can make it stop and log all outbound connection attempts. If there is remote control software on your computer that connects back to someone's computer, you should see its outbound connections failing.