nanog mailing list archives
Re: SMURF amplifier block list
From: Phil Howard <phil () charon milepost com>
Date: Sat, 18 Apr 1998 15:35:01 -0500 (CDT)
Dean Anderson writes...
During an in progress attack, you probably have to take extreme measures,Do you remember - it's not attack against you or attack by some of your customer's networks used as amplifier, but the attack initiated from your own network. You never note such thing withouth some permanent measurement.Oops. I misunderstood this first time round. I don't think you can easily detect smurf initiations, because you have to guess at the broadcast address. I think it is much easier to detect and block forged source addresses, which are also necessary for the hacker who is operating out of your network.
A combination of ...
1. blocking outbound packets with sources not in your own networks
2. blocking inbound packets addressed to broadcast addresses you know
you have in your subnetting topology
3. blocking inbound echo_request
4. blocking outbound echo_reply
... would be a good start. It breaks things like outsiders pinging your
network, but many find this an acceptable compromise. I've done #1, #3
and #4 for over 4 years. I plan to add #2 shortly, not only at the main
gateways, but also for all RADIUS based dialups, whether LAN or not. I
already block outbound packets to port 25, except allow them to my mail
servers, for all but customers who run their own mail servers, via RADIUS,
for purposes of blocking spam relaying. Of course that won't stop it all,
but it does stop most, including the naive.
I have no plans to block outbound packets to addresses ending in .255.
I'd love to be able to:
5. block inbound packets with sources I have no routes for
6. block inbound packets with sources that came in over an interface that
such a source could not route to if it were a destination
--
Phil Howard | blow2me7 () no4place net a6b5c4d9 () s1p0a0m4 net eat6this () noplace6 com
phil | stop5it8 () spammer6 edu no9way48 () dumbads1 net blow1me9 () s0p0a9m2 edu
at | suck3it2 () anywhere net crash528 () nowhere5 edu end7it11 () lame7ads com
milepost | stop6ads () no1where org no59ads8 () s6p5a1m6 org ads5suck () s8p8a3m8 edu
dot | no9way53 () no37ads3 net eat25me5 () s9p8a1m1 edu die8spam () spammer1 com
com | eat59me0 () spammer5 org stop4181 () dumbads9 net eat2this () spammer6 net
Current thread:
- Re: Filtering ICMP (Was Re: SMURF amplifier block list), (continued)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) D'Arcy J.M. Cain (Apr 22)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Alex P. Rudnev (Apr 21)
- Message not available
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Eric Germann (Apr 21)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Jason Lixfeld (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Pete Ashdown (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Richard Irving (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Brandon Ross (Apr 26)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Michael Dillon (Apr 24)
- Re: Filtering ICMP (Was Re: SMURF amplifier block list) Mark Whitis (Apr 26)
- Re: SMURF amplifier block list Dean Anderson (Apr 18)
- Re: SMURF amplifier block list Phil Howard (Apr 18)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 19)
- Re: SMURF amplifier block list Alex P. Rudnev (Apr 20)
- Re: SMURF amplifier block list jlixfeld (Apr 20)
- Re: SMURF amplifier block list Dean Anderson (Apr 19)
- Re: SMURF amplifier block list Jason Lixfeld (Apr 24)
- Re: SMURF amplifier block list Dean Anderson (Apr 24)
- Re: SMURF amplifier block list Stephen Sprunk (Apr 17)
- SMURF and spoofing: Important new information! Michael Dillon (Apr 17)
- Re: SMURF amplifier block list James R. Cutler (Apr 14)
- Message not available
- Re: SMURF amplifier block list Jay R. Ashworth (Apr 14)