Can't Find Smurf Attack

By Nickgreene ·
Have a small business running Server 2003 SBS as a file server. Somewhere an internal smurf attack has been introduced. Network includes 13 xp-pro machines and the one server. Use mcafee firewall agent I narrowed down the smurf attack to be coming from the server. Downloaded avira-server edition (full functioning) and found no viruses. Also download spyware scanner that I use frequently on other sites, but still havent' found any trace of this attack. Any other way to find out how/where on the server this is happening? Please help

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

A bit of reading material

by Jacky Howe In reply to Can't Find Smurf Attack
Collapse -

Have you

by mamies In reply to Can't Find Smurf Attack

Have you minimised the effect of the smurf attack by adding differant filters to your router.

Collapse -

Maybe a different router is needed

by Nickgreene In reply to Have you

I've read the "about smurf" attack page.

The router that the client's purchased is a linksys/cisco WRV200 series. Not very configurable in setting up filters. Any blocking of services (proxy/java/cookies) sound as they are for external attacks as supposed to internal attacks. I plan to replace the router with a netgear fvs318 router/firewall in hopes i can limit this attack somewhat. What sort of filters would you be referring to? Blocking ICMP?

Even if I can limit it, I'd still like to be able to locate it on the server and get rid of it.

Just not sure where to look on the server to try and find this.

Collapse -

Wireshark can help you ID the source

by seanferd In reply to Maybe a different router ...

if you are still unsure as to where it is coming from.

Filter-wise, see the TR article at the link above. Block all incoming (from internet) ICMP. You could probably block all ICMP internally as well, unless you really need it.

Follow the links in the NORDUnet article. For instance

Thing is, it may be an active evil hacker, and not malware. The IPs can be spoofed, and probably are, so this may not actually be originating at the server.

Collapse -

wireshark helped but..

by Nickgreene In reply to Wireshark can help you ID ...

Wireshark showed my the ICMP flood happening.

Source (router)
Destination (broadcast)

That seems to be all i can find from wireshark. Why I think it's coming from this server is:

Site is 14 computers +/- a laptop or two. One computer provided by another company is running mcafee firewall. I can watch it (mcafee firewall) note the smurf attacks, and I would take computers down one by one and check the status to see it was still happening until I took the server down and it stopped.

I'm not really needing to ping anything, unless there is a connection problem, but I can't find a way to deny the server the right to ICMP out. Rebuilding the server is a last resort option as they have legacy software.

The router is a linksys wrv200.

thanks for any help

Related Discussions

Related Forums