Solved

Smurf Amplification Attack from a MACBOOK OSX

Posted on 2013-12-13
3
1,246 Views
Last Modified: 2013-12-17
Our sonicwall logs show tons of dropped "smurf amplification attack" entries from one of our peoples MacBook running OSX  over our wireless network, we have ran 2 separate antivuris scans on it and nothing has been found, if I disable access from the MAC address, no more attacks to definitely originating from that laptop. My question is could this be a false positive? It literally drops an attach every 2-3 minutes.
0
Comment
Question by:Javier_Arroyo
  • 2
3 Comments
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39717678
Hi Javier_Arroyo,

SonicWALL has detected and prevented a Denial of Service attack. A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts.

What AV scan applications did you used to scan the MacBook?

SonicWALL has received a lot of inquiries about Smurf attack messages since 8/19/03, the day after the Sobig Worm and Nachi Virus spread. Smurf Amplification Attacks prior to that date were not as frequent as are currently being reported. About the only thing you can do is request your ISP to block the suspect source addresses, but they are not likely to take any action.

You can unselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages.

Let me know if you have any other questions!
0
 

Author Comment

by:Javier_Arroyo
ID: 39717804
Yea I saw all of the above in a posting somewhere. As far as the AV software used Sophos for MAC and
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39723184
It's not cost effective to trace Forged headers because by definition they are false. Your logs may do no good because the source can't be trusted to be the actual source.

It takes a poorly configured network or set of devices to make the amplification work "better". That is why I said, "you can deselect the Attacks category in the Log settings, if you are overwhelmed by the messages. The SonicWALL will continue to protect your network by dropping the packets, but you will not receive any attack messages."

As a precaution, you can run: http://www.eset.com/int/support/rootkit-detector/

and then follow-up by: http://www.eset.com/int/business/products/antivirus-for-mac/

You can just use the trial and then uninstall thereafter. But again the source is false so it's could be argued as an effort in futility.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 155
Setup another VLAN on Fortigate 3 24
Failover VPN Question Sonicwall 5 36
Mac OS X Server cant overwrite old files 7 23
In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
Read about achieving the basic levels of HRIS security in the workplace.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question