|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Smurfs and fraggles
Laurent LEVIER (llevier
argosnet.com)
Fri, 12 Feb 1999 11:13:14 +0100
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Kenneth_W_Foxsbphrd.com: "Zinjan & russian new years virus"
- Previous message: Stefan Jon Silverman: "Re: SecurID Agent-Server through proxy firewall"
- Maybe in reply to: Martin Bishop: "SecurID Agent-Server through proxy firewall"
- Next in thread: Bennett Todd: "Re: Smurfs and fraggles"
Hi,
Does anybody known if there is a tool/source to test if this kind of
attacks works on a network ?
At 20:43 11/02/99 +0000, you wrote:
>1999-02-11-16:37:53 dcostellocmol.com:
>> Based on my understanding I don't see as there is a way to prevent from
>> being attacked unless I can somehow monitor the rate of incoming ICMP
>> packets and if there's some sudden spike from a certain IP address or
>> addresses automatically filter them out. That seems like a fair amount of
>> intelligence and programming to put into a router or firewall.
>
>To protect against this kind of DoS, you have to block the packets upstream of
>the bottleneck that will get swamped --- typically your link up to the
>backbone. I.e. you have to get your provider to put filters on _their_ router.
>
>While perhaps few sites do it until they've been attacked, it is becoming a
>relatively common practice to get ICMP echo reply blocked at the backbone
>router, losing you the ability to use ping. If fraggle were widely used people
>would have to do that with UDP echo as well, losing you the ability to use
>traceroute.
>
>A much more precise fix is possible, and could probably be programmed into a
>fw1 or other "stateful inspection" type firewall; you'd need to define rules
>to let the firewall block all packets of whatever type until some hint is
>given that you are gonna want them; the details will be application specific.
>E.g. for ping, the rule would be something like "if you see an outbound
>ICMP echo request, allow up to one return echo reply to come back, from the
>request's destination addr to the request's src addr, and drop the exception
>if it isn't used within 5 minutes". I expect a similar hack would work for UDP
>echo to allow traceroute to generate a complete report.
>
>I fear we probably won't succeed in stopping people from committing this sort
>of attack; it's too much effort to hunt the perps down and properly persecute
>them, few victims will bother. And the needed filters to prevent sites from
>being amplifiers will probably never be universally deployed. So I expect
>before too many years, the necessary minimum config for a good internet feed
>will include a suitably configured firewall on the provider's end.
>
>What firewalls are currently available that can in fact implement the kind of
>rules I'm fantasizing here? FW1? Cisco Pix? Anything else?
>
>-Bennett
- Next message: Kenneth_W_Foxsbphrd.com: "Zinjan & russian new years virus"
- Previous message: Stefan Jon Silverman: "Re: SecurID Agent-Server through proxy firewall"
- Maybe in reply to: Martin Bishop: "SecurID Agent-Server through proxy firewall"
- Next in thread: Bennett Todd: "Re: Smurfs and fraggles"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:09 CDT