Solved

Smurf Amplification Attack from a MACBOOK OSX

Posted on 2013-12-13
3
1,286 Views
Last Modified: 2013-12-17
Our sonicwall logs show tons of dropped "smurf amplification attack" entries from one of our peoples MacBook running OSX  over our wireless network, we have ran 2 separate antivuris scans on it and nothing has been found, if I disable access from the MAC address, no more attacks to definitely originating from that laptop. My question is could this be a false positive? It literally drops an attach every 2-3 minutes.
0
Comment
Question by:Javier_Arroyo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39717678
Hi Javier_Arroyo,

SonicWALL has detected and prevented a Denial of Service attack. A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts.

What AV scan applications did you used to scan the MacBook?

SonicWALL has received a lot of inquiries about Smurf attack messages since 8/19/03, the day after the Sobig Worm and Nachi Virus spread. Smurf Amplification Attacks prior to that date were not as frequent as are currently being reported. About the only thing you can do is request your ISP to block the suspect source addresses, but they are not likely to take any action.

You can unselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages.

Let me know if you have any other questions!
0
 

Author Comment

by:Javier_Arroyo
ID: 39717804
Yea I saw all of the above in a posting somewhere. As far as the AV software used Sophos for MAC and
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39723184
It's not cost effective to trace Forged headers because by definition they are false. Your logs may do no good because the source can't be trusted to be the actual source.

It takes a poorly configured network or set of devices to make the amplification work "better". That is why I said, "you can deselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages."

As a precaution, you can run: http://www.eset.com/int/support/rootkit-detector/

and then follow-up by: http://www.eset.com/int/business/products/antivirus-for-mac/

You can just use the trial and then uninstall thereafter. But again the source is false so it's could be argued as an effort in futility.
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question