IP Subnet Broadcast Amplification
I have been getting "IP subnet broadcast amplification" errors in the security log of my Netopia 3364N ADSL modem. Searching for any information on Google turned out being a waste of time (the only post I found was on Experts Exchange [http://www.experts-exchange.com/Security/Q_21756799.html ] and the solution was… buying a Cisco modem which is not a fix to the original problem).
Calling AT&T and speaking with DSL support (on an unrelated problem, but I figured I can ask anyway), then with Advanced Internet Services support did not help either. In both cases I was told that they did not know what that security log error meant. I understand that AT&T cannot support every modem on the market but… it was them that supplied me with this model! So I contacted Netopia support and after a few minutes on the online chat I simply gave up.
What was so hard to find turned out being so easy to understand. The "IP Subnet Broadcast Amplification" was nothing more than an attempted smurf attack . The idea behind such an attack is simple: the attacker sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses using the spoofed source address of the intended victim. The result of such an attack can be devastating as hosts on the pinged network will respond with ICMP traffic directed at the spoofed address. In some cases this may result in hundreds of hosts responding. Most modern network equipment is protected against DoS services attacks such as smurfing and other types as well.
To sum things up: the solutions found online and "help" received from ATT and Netopia were of no help at all. Purchasing a replacement "simply because" is not a solution to any problem but once again, research helped solve a problem, which in the end turned out not being a problem any way.
Tags: advanced internet services, amp, attacker, broadcast amplification, broadcast lification, cisco, echo ping, experts exchange, few minutes, google, hosts, internet services support, log error, modem, netopia, security log, source address, spoofed address, traffic, unrelated problem, waste of time
It seems I’m not the lone ranger with this one. I followed the same path of discovery that you did, save that I found out what this “IP Subnet Broadcast Amplification” attack was from your post, and that it’s so severe that it overloads my router, causing internet outages for up to several minutes, at least a few dozen times per day, and god forbid I should want to connect on a Saturday or Sunday. I even went so far as to report the router as “defective” equipment, to which AT&T responded that these attacks were causing the trouble, not the unit. So I’m going to have to replace their flawed equipment on my dime. One would think that customer service would… but I’m venting at the wrong person. Sry. :\
I’m having the same problems with my Netopia and it’s kicking me off around 10 times an hour… and wireless is completely kicked off forcing a reboot of the router. AT&T as no answer… is there a fix for this? What did you end up doing to resolve your issues?
Matt,
What’s the model number of the Netopia router that you’re using?