Security Incidents mailing list archives

Re: What am I seeing?

From: Valdis.Kletnieks () vt edu
Date: Tue, 23 Oct 2001 12:29:24 -0400

On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:

problem is...looks like, to me, that it is not coming from outside...thus
the ingress filtering will not stop it. Or am I missing something?

79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1


The trick here is to remember that ingress filtering will *not* stop these
packets (as you noted, they originate inside the filter).  What you need
to do is find the packet that's being sent IN that's causing these replies,
and ingress filter THAT.

This is similar to stopping SMURF attacks (which consist of streams of
ICMP Echo Reply packets) by configuring your routers to Do The Right
Thing(*) with ICMP Echo *Request* packets....

-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

(*) The Right Thing is documented in RFC2644 "Changing the Default for
Directed Broadcast in Routers".  To summarize - routers should drop
packets going to a subnet's broadcast address by default, and it should
only be enabled if you know what you're doing....

Attachment: _bin
Description:

Current thread:

What am I seeing? jkruser (Oct 23)
- <Possible follow-ups>
- RE: What am I seeing? Rob Keown (Oct 23)
  - RE: What am I seeing? jkruser (Oct 23)
    - Re: What am I seeing? Mike Lewinski (Oct 23)
    - Re: What am I seeing? Valdis . Kletnieks (Oct 23)
- Re: What am I seeing? Bill_Royds (Oct 23)
- Re: What am I seeing? Richard . Smith (Oct 23)
  - Re: What am I seeing? 'Bill Scherr IV, GCIA' (Oct 25)