OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Smurfs and fraggles

Re: Smurfs and fraggles


Bennett Todd (betnewritz.mordor.net)
Tue, 16 Feb 1999 14:29:38 +0000


1999-02-11-20:43:53 Bennett Todd:
>[ a note talking about configuring packet-filtering firewalls to block these
> attacks, suitable for deployment on the upstream end of your link ]

and somehow I got myself confused and repeatedly suggested that traceroute
uses UDP echo, which of course it doesn't; it uses UDP packets on a series of
high-numbered addresses, and generates its reports based on the errors they
return, using incrementing TTLs.

I knew this, I did, really....

Thanks to Carson for calling my attention to this braino gently.

As far as I can tell, the rest of the article stands unchanged, if you just
drop all mention of traceroute.

So you can block ICMP echo reply altogether and lose use of ping. You can
drop UDP echo and lose nothing anyone would miss. You can block them more
cleverly and allow legitimate traffic while blocking these DOS attacks. But
your blocks only protect the links past the place where you apply them; the
blocked attacks will still hammer everything upstream of your firewall. Far,
far better if the attack couldn't be effectively mounted in the first place.

You should of course have proper filters in place to ensure that your net
cannot be used as an amplifier to help attack someone else (accept no incoming
packets to the IP broadcast addresses). And you should likewise have filters
in place so your net cannot originate packets with forged source addresses.

-Bennett



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:09 CDT