nanog mailing list archives
Re: New Denial of Service Attack on Panix
From: George Herbert <gherbert () crl com>
Date: Mon, 16 Sep 1996 21:07:57 -0700
Has someone come up with instructions on how to do source address filtering/verification for different brands of routers? It would be good if someone could put up a web page with complete instructions on how to do this. If this could be done quick enough we could possibly get the URL some publicity due to the current Panix attack.I would certainly publicize such a website. Although I think it would be best if it was placed at some other site with info that ISP's should see like perhaps www.ra.net. So far I've only seen Cisco filters posted. We still need to see instructions for Livingston IRX, Bay, and Linux/FreeBSD ipfwadm
Simple for Livingstons...
create a filter "internet.out"
Contents:
three lines for each net block you have:
permit 1.2.3.4/20 tcp
permit 1.2.3.4/20 udp
permit 1.2.3.4/20 icmp
final line to log (optional) MUST COME AFTER permit list for netblocks:
deny log
The final line will have the router syslog a message any time someone
tries to send from an address outside your blocks, as defined in the
rest of the filter. This is optional. Keep in mind that the panix
attack would probably have flooded your syslog machine's disk space
with syslog info in this case. Hardening that is an issue for another day,
however.
Apply this to all outbound ports on your gateway IRX routers.
You can do similar things with inbound ports on customer connections
or other internal routers if you desire to start filtering earlier
than your border gateway machines.
For example, if 1.2.3.0/21 is your block for your St Louis hub and
2.3.11.0/24 and 2.3.22.0/26 are customer nets there, then
the outbound interface for your St Louis IRX could have the
following filter on its outbound interface(s):
permit 1.2.3.0/21 tcp
permit 1.2.3.0/21 udp
permit 1.2.3.0/21 icmp
permit 2.3.11.0/24 tcp
permit 2.3.11.0/24 udp
permit 2.3.11.0/24 icmp
permit 2.3.22.0/26 tcp
permit 2.3.22.0/26 udp
permit 2.3.22.0/26 icmp
deny log
Alternatively you can filter on incoming ports with the same syntax.
-george william herbert
gherbert () crl com
Random Disclaimer time, since InterNIC asked me recently:
I have not been a CRL employee for nearly 2 years.
My opinions are of course my own.
- - - - - - - - - - - - - - - - -
Current thread:
- Re: New Denial of Service Attack on Panix, (continued)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 16)
- Re: New Denial of Service Attack on Panix George Herbert (Sep 16)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 16)
- Re: New Denial of Service Attack on Panix Tim Bass (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Avi Freedman (Sep 16)
- Re: New Denial of Service Attack on Panix David J. Schmidt (Sep 16)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Craig A. Huegen (Sep 16)
- Re: New Denial of Service Attack on Panix Michael Dillon (Sep 16)
- Re: New Denial of Service Attack on Panix Jon Green (Sep 16)
- Re: New Denial of Service Attack on Panix George Herbert (Sep 16)
- Re: New Denial of Service Attack on Panix Dick St.Peters (Sep 17)
- Re: New Denial of Service Attack on Panix George Herbert (Sep 17)
- Re: New Denial of Service Attack on Panix Dick St.Peters (Sep 17)
- Re: New Denial of Service Attack on Panix Perry E. Metzger (Sep 16)
- Re: New Denial of Service Attack on Panix Paul A Vixie (Sep 16)
- RE: New Denial of Service Attack on Panix David Miller (Sep 17)
- Message not available
- Re: New Denial of Service Attack on Panix Sharif Torpis (Sep 17)
- Re: New Denial of Service Attack on Panix Alan Hannan (Sep 16)