As a Mac user and a xxx employee, I've read the description of the Mac DoS attack you posted on your site in late December. What I don't understand is how this DoS attack differs from the standard "Smurf" ICMP Echo-Request DoS attack that's been around for several years. Was the point of your alert to indicate that 8.6/9.0 Macs could now be used in this kind of attack, whereas before they could not? Or was the point of your alert to indicate that Macs are more susceptible to this form of attack than some other operating systems, and therefore special attention needed to be paid to them? Or was the point of your alert to indicate that there was something about the latest version of OT that allowed for an entirely new kind of DoS, one that differed from the standard "Smurf" attack in specific ways? If so, could you elaborate on that differentiation.
The reason I ask this is that your posting has been interpreted by some folks at xxxx to suggest that the network router configurations that can prevent computers from being used in Smurf attacks would not apply in the Mac DoS attack. This may have been encouraged because your posting seems to suggest that you've found a new attack, rather than a new Mac vulnerability to a known DoS attack. Everything I've read suggests that this is just a new Mac vulnerability to the known "Smurf" DoS attack, one to which Win 95 and NT are also vulnerable, and that our first response should be to properly configure our routers to prevent it, as outlined by Cisco.
Ultimately, I'm simply trying to ensure that we take appropriate action to protect our subscribers and to prevent our network from being abused, but also to prevent any kind of overreaction which may suggest that we're unable to prevent our subscriber's Macs from being used in a unique form of attack on midnight of January 1st, unless we believe that this is actually the case. I'd really appreciate any additional info you can provide.
========
The Smurf attack is originated by sending an Echo-Request message with a broadcast destination address to a subnet. Every computer would then send a Echo-Reply of the same length to the spoofed source address of the incoming Echo-Request packets.
The Smurf Attack has been defeated by campus edge-routers or firewalls programmed to block (drop) incoming packets with broadcast destination addresses. This must include ICMP, UDP port-7, and TCP port-7 Echo-Request Packets.
The Mac OS9 DoS Attack uses OS9 Macintoshes scattered around the country or world with high-speed Internet connections to flood a target. The measures that eliminated the danger of Smuft attacks will not stop this one.
The only response I know is to drop large (>1499-byte) ICMP packets in the backbone. I've heard that Cisco routers cannot drop based on size unless they are in "packet examination" mode, which increases packet delay and decreases router throughput. I've also heard that Road Runner is preparing router scripts which drop all ICMP Echo-Request packets, and is prepared to load those scripts quickly if necessary.
Two email messages I have received hint that someone is experimenting with combining the Smuft Attack principle with the Mac DoS principle by sending Mac trigger packets with a broadcast address. I do not have the means at the moment the test whether this works.
John Copeland (1/2/00 14:00 EST)