North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Alex P. Rudnev
  • Date: Sat Apr 18 15:09:33 1998

I am talking about boths blocking exterior smurfers from usage your 
networks as amplifier, and blocking your smurfers from sending such 
packets by your network. Second task allow you to cutch any smurfer in 
your own network in a 5 minutes.

Just now the only thing big ISP can do in case of SMURF is to block 
ECHO_REPLY packets to some attacked networks; it results from preventing 
any PING tests from this networks. Why don't sacrify some addresses 
(*.255, really) from be pinged at all, but save your from be the source 
or amplifier of the SMURF?

And then, if you should not block by 'log' such packets you'll have the 
log records about your own smurfers withouth loosing any ICMP 
capabilities at all. 



> 
> Umm, I think this has already been hashed out. This is not the only netmask
> on the planet, and you don't know what other networks netmasks are under
> CIDR. Trying to guess the netmask just leads to breakage.
> 
> All you want to do is stop packets coming in to your broadcast address.
> For example, for your network x.y.z/n  (n=24) with your broadcast address
> of x.y.z.255: (I presume everyone can translate between CIDR notation and
> dotted decimal ;-)
> 
> deny ip any x.y.z.255 255.255.255.255
> 
> no ip directed broadcast basically puts in the same rule, but it does it
> automatically by looking at the netmasks on the interfaces.
> 
> 		--Dean
> 
> >Why don't use the filter
> >
> > deny icmp any 0.0.0.255 255.255.255.0 echo-request
> >
> >on the incoming lines? It just block 99.999% of this smurf amplifiers;
> >and I hardly think someone eve sence this restriction for the real PING
> >tests.
> >
> >???
> >
> >
> >
> >On Fri, 17 Apr 1998, Dean Anderson wrote:
> >
> >> Date: Fri, 17 Apr 1998 18:09:08 -0400
> >> From: Dean Anderson <[email protected]>
> >> To: [email protected]
> >> Cc: [email protected]
> >> Subject: Re: SMURF amplifier block list
> >>
> >> > Does no ip directed broadcast really work?
> >>
> >> Yes. It works.
> >>
> >> And it works for whatever your particular netmask or broadcast address
> >> happens to be, which is what's important.
> >>
> >> The only time you shouldn't do it globally is when some other network
> >> really needs to see broadcasts.  For example, If we manage a client's
> >> network with HP OpenView over the internet, we need to be able to send them
> >> directed broadcasts, so that OpenView host discovery will work.  Patrol
> >> works the same way, as do other products.  In this case you can't use the
> >> "no ip directed broadcast" switch, but you can still set up access rules
> >> which do the same thing except for the permitted network.
> >>
> >> Bottom line is that you should protect your network from people who would
> >> either abuse it via smurfing, or simply have no business looking for hosts
> >> on your network. You have the tools to do it.
> >>
> >> 		--Dean
> >>
> >>
> >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>            Plain Aviation, Inc                  [email protected]
> >>            LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
> >>            We Make IT Fly!                (617)242-3091 x246
> >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> >>
> >>
> >>
> >
> >Aleksei Roudnev, Network Operations Center, Relcom, Moscow
> >(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095)
> >239-10-10, N 13729 (pager)
> >(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
> 
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>            Plain Aviation, Inc                  [email protected]
>            LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
>            We Make IT Fly!                (617)242-3091 x246
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> 
> 

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)