Re: What am I seeing?

["'Bill Scherr IV, GCIA'" <bschnzl () bigfoot com>]

Folks...

   Fraggle or smurf or cookie monster.  Proper Ingress/Egress filtering 

http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.
multi

and Router configuration (Router (config-subif)# no ip directed-broadcast)

http://www.cisco.com/warp/public/707/22.html

will make this a non-issue.  obsid's script has an excellent list of IANA 
reserved nets!  It also blocks the RFC 1918 stuff and directed/limited 
broadcasts.  The point here is that no matter how you do it, put the proper 
filters in place.  (ISPs too!)  DoS defense depends on ALL of us!

On 23 Oct 2001, at 13:35, Richard.Smith () predictive com wrote:

> A fraggle attack is not an ICMP based attack. It is UDP based. 
> Nevertheless, you should be filtering all reserved and RFC 1918 networks 
> at your borders. This would prevent UDP ECHO's from ever reaching your 
> internal hosts. The intent of the attacker seems to be to bring down your /24
> not any other external site. So they might redirect their attack at your router
> if you filter their spoofed network. Then their attack might not be as
> effective since it won't be amplified by your internal hosts, but it might be
> annoying. If you have filtered their bogus source (0.0.0.0) and they continue
> to barrage your router you have no choice but to work  with your upstream
> provider and track the source via ASN as Valdis mentioned below. 
>
> If you need info on filtering the reserved and/or RFC 1918 networks or 
> hardening Cisco routers in general a good white paper is Bastion Routers 
> and you can find it on Phrack.
>
> http://www.phrack.org/show.php?p=55&a=10
>
> Richard S Smith
> Sr Information Security Analyst
> Global Integrity a Division of Predictive Systems
>
>
>
>
>
>
> Valdis.Kletnieks () vt edu
> 10/23/2001 12:29 PM
>
>
>         To:     jkruser <jkruser () adelphia net>
>         cc:     incidents () securityfocus com, focus-ids () securityfocus com
>         Subject:        Re: What am I seeing?
>
>
> On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:
> > problem is...looks like, to me, that it is not coming from 
> outside...thus
> > the ingress filtering will not stop it. Or am I missing something?
>
> > 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
> > MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1
>
> The trick here is to remember that ingress filtering will *not* stop these
> packets (as you noted, they originate inside the filter).  What you need to do
> is find the packet that's being sent IN that's causing these replies, and
> ingress filter THAT.
>
> This is similar to stopping SMURF attacks (which consist of streams of
> ICMP Echo Reply packets) by configuring your routers to Do The Right
> Thing(*) with ICMP Echo *Request* packets....
>
> -- 
>                                        Valdis 
> Kletnieks
>                                        Operating 
> Systems Analyst
>                                        Virginia 
> Tech
>
> (*) The Right Thing is documented in RFC2644 "Changing the Default for
> Directed Broadcast in Routers".  To summarize - routers should drop
> packets going to a subnet's broadcast address by default, and it should
> only be enabled if you know what you're doing....


Bill Scherr IV, GCIA
Electronic Warfare Associates / IIT
Lafayette RTI, Camp Johnson
Colchester, VT 05446
802-338-3213

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com