North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Smurfing

  • From: Craig A. Huegen
  • Date: Fri Feb 13 19:17:25 1998

On Fri, 13 Feb 1998, Steve Hultquist wrote:

==>Don't these answers answer a different question? Isn't the question how to
==>filter *outbound* attacks, not inbound ones? Filtering the inbound ones is
==>pretty easy on a Bay or anything with filters (drop packets bound for the
==>broadcast addresses). Filtering outbound is another story, especially with
==>CIDR. I would like to set up my routers to make sure I'm protecting as much
==>of the 'net as possible from attempts by my customers to do evil. However,
==>it's not clear to me how to do that. Does "no ip directed-broadcast" somehow
==>filter the *outbound* attacks or just the inbound ones?

"no ip directed-broadcast" keeps you from being one of the intermediaries
in the attack (traffic multiplier).  It prevents a perpetrator from being
able to multiply his traffic toward the victim, which is what makes smurf
so dangerous.

Outbound spoof filtering fixes more than just the smurf attack, and is
what everyone *should* be doing to protect against customers spoofing.

For now, you can place outbound ACL's on your interfaces.

Some folks have reported that functionality is currently being tested for
a unicast RPF check for Cisco IOS.  This feature will (on a per interface
basis) allow you to specify that packets coming in on an interface must
follow that interface to get back to the host.  Note that this feature
will not work everywhere (multihomed/first-exit environments), but will
provide protection against spoofing.

/cah