[unisog] The old smurf attack and router filters

John K Lerchey lerchey at andrew.cmu.edu
Mon Dec 3 22:32:09 GMT 2001


Tony,

I think the "good solution" here is to have the user request a non-zero IP
from their provider.  Since the broadcast addresses are abused so
frequently, I think that the ISP is being either stupid or careless by
assigning one to a user.

I would not lift the ban... it's worked well for you for 2+ years.  It's
proven itself. :)


John K. Lerchey
Computer and Network Security Coordinator
Computing Services
Carnegie Mellon University


On Mon, 3 Dec 2001, DelVecchio, Anthony R. wrote:

> Hi I'm looking for some thoughts from you guys.
>
> Over the years we had problems w/our Unix boxes getting compromised and
> being used in the old smurf attack (a DoS that sends ICMP packets to a
> target networks network address and floods both connections).  When I was
> placed in this position being a good little security admin one of the first
> things I did was take a look at our router configs and added a NO IP
> DIRECTED BROADCASTS which I believe is standard on latest router configs.
>
> The problem was that smurfs were still working.  I eventually discoverd that
> this was because the router was looking at the netwok address of our class B
> and not the subnets we had broken it into. So I added some access lists
> blocking .0's and 255's going both ways (to be good net neighbors) and all
> was well with the universe. I have not seen this attack in about 2 years.
>
> Recently we had a user who's broadband provider assigned him a .0 address
> and of course none of his packets were making it back to him.  He's having
> difficulty getting the IP to release and get another one.
>
> My boss is claiming that other Universities don't do this and I'm wondering
> how true it is and if I have to drop the filter what a good solution may be.
>
> Thanks for your help,
>
> -----------------------------------------------------
> Tony DelVecchio
> Network Security Manager
> University of St Thomas
> St Paul, MN USA
> 651.962.6246
> -----------------------------------------------------
> "Power corrupts.  Absolute power is kind of neat."
> John Lehman - Former Secretary of the Navy
>
>



More information about the unisog mailing list