What Is a Smurf Amplifier?

Support knowledgebase (lmuelle_smurf_amplifier)
Applies to

SuSE Linux: Versions up to (including) 7.3

Symptom

You have been notified that your SuSE Linux system is a "smurf amplifier".

Cause

Your system replies to ICMP (Internet Control Message Protocol) broadcasts. There is actually nothing wrong with this, but it can be misused. The abuse happens when the ICMP's packet source address has been spoofed (forged) and your system replies to the alleged sender.

A faq along with detailed information about this topic can be found for instance under http://www.ircnetops.org/smurf/faq.php

The command

cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
shows the current system configuration while the system is running .

If the output is 0, your system replies to ICMP broadcasts and you should proceed as explained below.

If the output is 1, you have not to act immediately, but you should check, e.g. as described below, if the configuration is long-term guaranteed.

Solution

While the system is active, you can avoid that it replies to such requests by executing the command
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

To maintain an efficient configuration also in the long run, please insert the whole line of the echo command in the file boot.local, which can be found in directory /sbin/init.d/ until SuSE Linux 7.0 and in /etc/init.d/ in higher SuSE Linux versions.


Keywords: INTERNET, SECURITY, SPAM, ABUSE, MISUSE, ICMP, BROADCAST, SMURF

Categories: Internet

Feedback welcome: Send Mail to lmuelle+sdb@suse.de (Please give the following subject: SDB-lmuelle_smurf_amplifier)
SDB-lmuelle_smurf_amplifier, Copyright SuSE Linux AG, Nürnberg, Germany - Version: 06. Nov 2001
SuSE Linux AG - Last generated: 20. Nov 2001 by glazzar (sdb_gen 1.40.0)