Firewall Wizards mailing list archives
Re: Smurfs and fraggles
From: Bennett Todd <bet () newritz mordor net>
Date: Thu, 11 Feb 1999 20:43:53 +0000
1999-02-11-16:37:53 dcostello () cmol com:
Based on my understanding I don't see as there is a way to prevent from being attacked unless I can somehow monitor the rate of incoming ICMP packets and if there's some sudden spike from a certain IP address or addresses automatically filter them out. That seems like a fair amount of intelligence and programming to put into a router or firewall.
To protect against this kind of DoS, you have to block the packets upstream of the bottleneck that will get swamped --- typically your link up to the backbone. I.e. you have to get your provider to put filters on _their_ router. While perhaps few sites do it until they've been attacked, it is becoming a relatively common practice to get ICMP echo reply blocked at the backbone router, losing you the ability to use ping. If fraggle were widely used people would have to do that with UDP echo as well, losing you the ability to use traceroute. A much more precise fix is possible, and could probably be programmed into a fw1 or other "stateful inspection" type firewall; you'd need to define rules to let the firewall block all packets of whatever type until some hint is given that you are gonna want them; the details will be application specific. E.g. for ping, the rule would be something like "if you see an outbound ICMP echo request, allow up to one return echo reply to come back, from the request's destination addr to the request's src addr, and drop the exception if it isn't used within 5 minutes". I expect a similar hack would work for UDP echo to allow traceroute to generate a complete report. I fear we probably won't succeed in stopping people from committing this sort of attack; it's too much effort to hunt the perps down and properly persecute them, few victims will bother. And the needed filters to prevent sites from being amplifiers will probably never be universally deployed. So I expect before too many years, the necessary minimum config for a good internet feed will include a suitably configured firewall on the provider's end. What firewalls are currently available that can in fact implement the kind of rules I'm fantasizing here? FW1? Cisco Pix? Anything else? -Bennett
Current thread:
- Smurfs and fraggles dcostello (Feb 09)
- <Possible follow-ups>
- Re: Smurfs and fraggles Rick Murphy (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 10)
- Re: Smurfs and fraggles Barrett G. Lyon (Feb 10)
- Re: Smurfs and fraggles Arnd Vehling (Feb 10)
- Re: Smurfs and fraggles Ted Doty (Feb 11)
- Re: Re[2]: Smurfs and fraggles Dani Arbel (Feb 11)
- Re: Smurfs and fraggles Robert Graham (Feb 10)
- RE: Smurfs and fraggles John McDonald (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 11)
- Re: Smurfs and fraggles Bennett Todd (Feb 11)
- Re: Smurfs and fraggles Laurent LEVIER (Feb 12)
- Re: Smurfs and fraggles Bennett Todd (Feb 17)
- Re: Smurfs and fraggles Bennett Todd (Feb 11)
- Re: Re[2]: Smurfs and fraggles Ryan Russell (Feb 11)