North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: New Denial of Service Attack on Panix
George Herbert writes: > Simple for Livingstons... > > create a filter "internet.out" > Contents: > three lines for each net block you have: > > permit 1.2.3.4/20 tcp > permit 1.2.3.4/20 udp > permit 1.2.3.4/20 icmp Actually, a single "permit 1.2.3.4/20" line will do. In Livingston command line syntax: set filter internet.out 1 permit 1.2.3.4/20 > final line to log (optional) MUST COME AFTER permit list for netblocks: > deny log > > The final line will have the router syslog a message any time someone > tries to send from an address outside your blocks, as defined in the > rest of the filter. This is optional. Keep in mind that the panix > attack would probably have flooded your syslog machine's disk space > with syslog info in this case. Hardening that is an issue for another day, > however. Logging denies will fill up your log anyway. Packets arriving for a dialup user after he/she hangs up fall through to the default route back out of the box. They are then _outbound_ packets with source address off the network and destination address on the network. Dialup providers who want to log denies based on a source address being on their network should have a preceding unlogged deny based on the destination address being on their network: set filter internet.out 1 permit 1.2.3.4/20 set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20 set filter internet.out 3 deny log -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY [email protected] Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code - - - - - - - - - - - - - - - - -
|