RE: ICMP/SYN Flood

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Muhammad Naseer Bhatti [mailto:mail-lists () digitallinx com]
>
> And the list goes on .. The question I want to ask here, is the
> network/router poorly configured at my NOC which is allowing
> broadcasts/networks to pass through it? If so, how can I 
> assist them to fix
> it? I am not a Cisco guru, so might need someone to give me 
> some hints so
> that I can pass that to the poor NOC techs.

  Briefly, NO.  (I'm going to suggest a possibility further
down this message, but I wouldn't characterise its current
behaviour as "poorly configured" -- it's pretty normal.)

  The definitions of broadcast and network addresses depend upon
where the split is between the network and host portions of the
address, which is pretty much private to the source network.
  (You can often make an educated guess by looking at routing 
tables from one hop away.  Beyond that, you don't really know.)

  MOST net blocks these days are smaller than a Class B, so
addresses in which the last two octets are ".0.0" are *likely*
to be network addresses.
  Your NOC guys *could* block those in an access list by 
wildcarding the first two octets (e.g., wildcard mask =
255.255.0.0).  The risk that this would block any legitimate
user is very tiny.
  It won't block all of your attackers, but it looks from your
list like it might be enough to make a difference.

David Gillett


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------