[unisog] The old smurf attack and router filters

Doug Nelson nelson at clunix.cl.msu.edu
Mon Dec 3 22:33:45 GMT 2001


> Hi I'm looking for some thoughts from you guys.
> 
> Over the years we had problems w/our Unix boxes getting compromised and
> being used in the old smurf attack (a DoS that sends ICMP packets to a
> target networks network address and floods both connections).  When I was
> placed in this position being a good little security admin one of the first
> things I did was take a look at our router configs and added a NO IP
> DIRECTED BROADCASTS which I believe is standard on latest router configs. 
> 
> The problem was that smurfs were still working.  I eventually discoverd that
> this was because the router was looking at the netwok address of our class B
> and not the subnets we had broken it into. So I added some access lists
> blocking .0's and 255's going both ways (to be good net neighbors) and all
> was well with the universe. I have not seen this attack in about 2 years.
> 
> Recently we had a user who's broadband provider assigned him a .0 address
> and of course none of his packets were making it back to him.  He's having
> difficulty getting the IP to release and get another one.
> 
> My boss is claiming that other Universities don't do this and I'm wondering
> how true it is and if I have to drop the filter what a good solution may be.

I do block addresses ending in .0 and .255, but only inbound.  I figure I can
impose the restriction against using .0 and .255 locally, but not necessarily
in the rest of the world.  I do recall running into an instance of a .0 or
.255 address being used externally; it's possible I relaxed my filters somewhat
upon that discovery.

Doug Nelson			nelson at msu.edu
Network Manager			Ph: (517) 353-2980
Computer Laboratory
Michigan State University



More information about the unisog mailing list