Solved

Smurf Amplification Attack from a MACBOOK OSX

Posted on 2013-12-13
3
1,224 Views
Last Modified: 2013-12-17
Our sonicwall logs show tons of dropped "smurf amplification attack" entries from one of our peoples MacBook running OSX  over our wireless network, we have ran 2 separate antivuris scans on it and nothing has been found, if I disable access from the MAC address, no more attacks to definitely originating from that laptop. My question is could this be a false positive? It literally drops an attach every 2-3 minutes.
0
Comment
Question by:Javier_Arroyo
  • 2
3 Comments
 
LVL 24

Expert Comment

by:diverseit
ID: 39717678
Hi Javier_Arroyo,

SonicWALL has detected and prevented a Denial of Service attack. A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts.

What AV scan applications did you used to scan the MacBook?

SonicWALL has received a lot of inquiries about Smurf attack messages since 8/19/03, the day after the Sobig Worm and Nachi Virus spread. Smurf Amplification Attacks prior to that date were not as frequent as are currently being reported. About the only thing you can do is request your ISP to block the suspect source addresses, but they are not likely to take any action.

You can unselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages.

Let me know if you have any other questions!
0
 

Author Comment

by:Javier_Arroyo
ID: 39717804
Yea I saw all of the above in a posting somewhere. As far as the AV software used Sophos for MAC and
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
ID: 39723184
It's not cost effective to trace Forged headers because by definition they are false. Your logs may do no good because the source can't be trusted to be the actual source.

It takes a poorly configured network or set of devices to make the amplification work "better". That is why I said, "you can deselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages."

As a precaution, you can run: http://www.eset.com/int/support/rootkit-detector/

and then follow-up by: http://www.eset.com/int/business/products/antivirus-for-mac/

You can just use the trial and then uninstall thereafter. But again the source is false so it's could be argued as an effort in futility.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now