The old smurf attack and router filters

DelVecchio, Anthony R. ARDELVECCHIO at
Mon Dec 3 21:47:39 GMT 2001

Hi I'm looking for some thoughts from you guys.

Over the years we had problems w/our Unix boxes getting compromised and
being used in the old smurf attack (a DoS that sends ICMP packets to a
target networks network address and floods both connections).  When I was
placed in this position being a good little security admin one of the first
things I did was take a look at our router configs and added a NO IP
DIRECTED BROADCASTS which I believe is standard on latest router configs. 

The problem was that smurfs were still working.  I eventually discoverd that
this was because the router was looking at the netwok address of our class B
and not the subnets we had broken it into. So I added some access lists
blocking .0's and 255's going both ways (to be good net neighbors) and all
was well with the universe. I have not seen this attack in about 2 years.

Recently we had a user who's broadband provider assigned him a .0 address
and of course none of his packets were making it back to him.  He's having
difficulty getting the IP to release and get another one.

My boss is claiming that other Universities don't do this and I'm wondering
how true it is and if I have to drop the filter what a good solution may be.

Thanks for your help,

Tony DelVecchio
Network Security Manager
University of St Thomas
St Paul, MN USA
"Power corrupts.  Absolute power is kind of neat."
John Lehman - Former Secretary of the Navy

More information about the unisog mailing list