Solved

Smurf Amplification Attack from a MACBOOK OSX

Posted on 2013-12-13
3
1,239 Views
Last Modified: 2013-12-17
Our sonicwall logs show tons of dropped "smurf amplification attack" entries from one of our peoples MacBook running OSX  over our wireless network, we have ran 2 separate antivuris scans on it and nothing has been found, if I disable access from the MAC address, no more attacks to definitely originating from that laptop. My question is could this be a false positive? It literally drops an attach every 2-3 minutes.
0
Comment
Question by:Javier_Arroyo
  • 2
3 Comments
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39717678
Hi Javier_Arroyo,

SonicWALL has detected and prevented a Denial of Service attack. A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts.

What AV scan applications did you used to scan the MacBook?

SonicWALL has received a lot of inquiries about Smurf attack messages since 8/19/03, the day after the Sobig Worm and Nachi Virus spread. Smurf Amplification Attacks prior to that date were not as frequent as are currently being reported. About the only thing you can do is request your ISP to block the suspect source addresses, but they are not likely to take any action.

You can unselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages.

Let me know if you have any other questions!
0
 

Author Comment

by:Javier_Arroyo
ID: 39717804
Yea I saw all of the above in a posting somewhere. As far as the AV software used Sophos for MAC and
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39723184
It's not cost effective to trace Forged headers because by definition they are false. Your logs may do no good because the source can't be trusted to be the actual source.

It takes a poorly configured network or set of devices to make the amplification work "better". That is why I said, "you can deselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages."

As a precaution, you can run: http://www.eset.com/int/support/rootkit-detector/

and then follow-up by: http://www.eset.com/int/business/products/antivirus-for-mac/

You can just use the trial and then uninstall thereafter. But again the source is false so it's could be argued as an effort in futility.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Do you need to have Windows Firewall on if you have a hardware firewall 9 75
Intrusion detection 20 59
Compromised PC? 17 175
Penetration Testing home based work 3 55
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now