Re: ICMP/SYN Flood

[Dr J <doctorj () bigpond net au>]

Add the lines (should be OK for an inbound acl - check
with your netprogs)

deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any

to destroy packets destined for broadcast addresses.

Your router should also be configured so that it cannot forward directed
broadcasts (unless you make use of this feature):

rtr(enable)# configure terminal
rtr(config)# interface ethernet 0/0      <check with netprogs>
rtr(config-if)# no ip directed-broadcast
rtr(config-if)# end

Also, if you are regularly receiving attacks from the sites below
you may need to add something similar to below to your router config.
for each network that you mention - you also appear to reference
16-bit ip-addr. spaces. This is huge and you may want to scale this
down by getting correct masks (by inspecting the source ip's and
doing a `whois`) or continually blocking each attack on an individual
ip address basis - which would mean continuing to harass your netprogs.

deny ip 37.72.0.0 0.0.255.255 any     (watch direction - netprogs)
deny tcp host 37.72.AAA.BBB any     -single ip
deny tcp host 37.72.AAA.BBB any eq 80 -single ip/protocol (WWW)

Hope this is a start.
Dr J.

On Thu, 2003-05-22 at 12:47, Muhammad Naseer Bhatti wrote:
> Hi list ..
>
> I am experiencing a bad DDoS attack toward one of my server. The attack is
> pointed to only 1 IP on which a governmental site is hosted. Seems some
> folks don't like the site to stay up. As far as the Server (Linux) security
> is concerned, I am able to make that up serving all requests without any
> hesitation. My network with which I am connected to is poorly configured and
> allowing the DDoS attack to pass thru their routers. I am getting two kind
> of attacks here:
>
> - ICMP Flood
>         Simple ICMP flood from various spoofed hosts. This I know can be
> blocked on the router for the particular IP. Unfortunately the network guys
> are still not able to do that.
>
> - SYN Flood
>         Interesting thing. Loots of SYN requests from these kind of
> network/broadcasts towards port 80 only.
>
> 37.72.0.0
> 128.89.0.0
> 173.66.0.0
> 37.155.0.0
> 177.225.0.0
> 37.94.0.0
> 36.162.0.0
> 117.77.0.0
> 151.162.0.0
> 36.216.0.0
> 134.248.0.0
> 175.129.0.0
>
> And the list goes oon .. The question I want to ask here, is the
> network/router poorly configured at my NOC which is allowing
> broadcasts/networks to pass through it? If so, how can I assist them to fix
> it? I am not a Cisco guru, so might need someone to give me some hints so
> that I can pass that to the poor NOC techs.
>
> Any help would be appreciated.
>
>
> Thanks,
>
> Muhammad Naseer
> ----

> ----------------------------------------------------------------------------
> *** Wireless LAN Policies for Security & Management - NEW White Paper ***
> Just like wired networks, wireless LANs require network security policies 
> that are enforced to protect WLANs from known vulnerabilities and threats. 
> Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
>
> To get your FREE white paper visit us at:    
> http://www.securityfocus.com/AirDefense-incidents
> ----------------------------------------------------------------------------
Joe Haskian


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------