|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Filtering ICMP (Was Re: SMURF amplifier block list)
On Thu, 23 Apr 1998, Jason Lixfeld wrote: > Then how do you propose to effectively block smurf coming IN? You are > totally asking for it if you need to rely on your upstreams to protect > you. I agree with you. If we all deny ICMP, yeah it will fuck up the > Internet -- Good. I hope we all suffer. Maybe then people will Go back to the message that started the original thread. The people you adversely affect by your actions will be totally innocent victims. If, on the othere hand, you block the networks which are amplifying the smurf you will affect those orginizations who are guilty of contributory negligence and their employees/customers. 1) installing a router under your control on the upstream end of your uplink is a good idea if you want to minimize the load on your upstream end (this may result in two routers directly connected). 2) install your detection software to detect attacks, and semi-automatically (with approval from your 24 hour NOC staff) configures the countermeasures (below) 2) Filter out everything to/from the offending amplifier networks (not just icmp) on your upstream router (if you have it, downstream otherwise), except http: (if you can implement the next countermeasure) 3) If you have the capability (you can do this with a linux box and probably a *BSD box as well), redirect http traffic to the amplifier network or from the amplifier network to your "access denied" "web server" which simply responds to all http: queries with a temporary redirect to a non-cacheable page which explains why access was denied and gives the contact email and phone number for the offending networks NOC (possibly automatically extracted from whois). 4) when the amplifier network blocks the smurf and traces it to the originating network (and sends you the trace), unblock them and block the originating network (or the next negligent network). 5) unblock the originating network when they terminate the offending partie and install filters to prevent recurrence. Announce any blocks. At the moment, nanog might be the most appropriate forum. This isn't the cheapest solution but it would be far more effective at stamping out smurf. And the tools used put you in a much better situation to deal with similar attacks. If you don't have the resources to do this, get your upstream to do this; if you don't have an upstream, then there is little excuse for your network not having the resources to deal with stuff like this. On a separate but related matter, I have thrown together a web page which details many common ISP/network administrator mistakes which cause others lots of grief, including the kinds discussed in these threads http://www.dbd.com/~whitis/isp_mistakes.html If you have additions, particularly those, which are: - pervasive mistakes, or - not necessarily obvious send me email off list. Links to relevent or similar pages are appropriate. --------------------------------------------------------------------------- --- Mark Whitis <[email protected]> WWW: http://www.dbd.com/~whitis/ --- --- 428-B Moseley Drive; Charlottesville, VA 22903 804-962-4268 --- ---------------------------------------------------------------------------
|