Re: New Denial of Service Attack on Panix

["Dick St.Peters" <stpeters () NetHeaven com>]

George Herbert writes:

> Simple for Livingstons...
>
> create a filter "internet.out"
> Contents:
> three lines for each net block you have:
>
>       permit 1.2.3.4/20 tcp
>       permit 1.2.3.4/20 udp
>       permit 1.2.3.4/20 icmp

Actually, a single "permit 1.2.3.4/20" line will do.  In Livingston
command line syntax:

        set filter internet.out 1 permit 1.2.3.4/20

> final line to log (optional) MUST COME AFTER permit list for netblocks:
>       deny log
>
> The final line will have the router syslog a message any time someone
> tries to send from an address outside your blocks, as defined in the
> rest of the filter.  This is optional.  Keep in mind that the panix
> attack would probably have flooded your syslog machine's disk space
> with syslog info in this case.  Hardening that is an issue for another day,
> however.

Logging denies will fill up your log anyway.  Packets arriving for a
dialup user after he/she hangs up fall through to the default route
back out of the box.  They are then _outbound_ packets with source
address off the network and destination address on the network.

Dialup providers who want to log denies based on a source address
being on their network should have a preceding unlogged deny based on
the destination address being on their network:

        set filter internet.out 1 permit 1.2.3.4/20
        set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20
        set filter internet.out 3 deny log

--
Dick St.Peters,       Gatekeeper, Pearly Gateway, Ballston Spa, NY
stpeters () NetHeaven com     Owner, NetHeaven 518-885-1295/800-910-6671
Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake
          First Internet service based in the 518 area code
- - - - - - - - - - - - - - - - -