• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1344
  • Last Modified:

Smurf Amplification Attack from a MACBOOK OSX

Our sonicwall logs show tons of dropped "smurf amplification attack" entries from one of our peoples MacBook running OSX  over our wireless network, we have ran 2 separate antivuris scans on it and nothing has been found, if I disable access from the MAC address, no more attacks to definitely originating from that laptop. My question is could this be a false positive? It literally drops an attach every 2-3 minutes.
0
Javier_Arroyo
Asked:
Javier_Arroyo
  • 2
1 Solution
 
Blue Street TechLast KnightsCommented:
Hi Javier_Arroyo,

SonicWALL has detected and prevented a Denial of Service attack. A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts.

What AV scan applications did you used to scan the MacBook?

SonicWALL has received a lot of inquiries about Smurf attack messages since 8/19/03, the day after the Sobig Worm and Nachi Virus spread. Smurf Amplification Attacks prior to that date were not as frequent as are currently being reported. About the only thing you can do is request your ISP to block the suspect source addresses, but they are not likely to take any action.

You can unselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages.

Let me know if you have any other questions!
0
 
Javier_ArroyoAuthor Commented:
Yea I saw all of the above in a posting somewhere. As far as the AV software used Sophos for MAC and
0
 
Blue Street TechLast KnightsCommented:
It's not cost effective to trace Forged headers because by definition they are false. Your logs may do no good because the source can't be trusted to be the actual source.

It takes a poorly configured network or set of devices to make the amplification work "better". That is why I said, "you can deselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages."

As a precaution, you can run: http://www.eset.com/int/support/rootkit-detector/

and then follow-up by: http://www.eset.com/int/business/products/antivirus-for-mac/

You can just use the trial and then uninstall thereafter. But again the source is false so it's could be argued as an effort in futility.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now