[unisog] The old smurf attack and router filters
nelson at clunix.cl.msu.edu
Mon Dec 3 22:33:45 GMT 2001
> Hi I'm looking for some thoughts from you guys.
> Over the years we had problems w/our Unix boxes getting compromised and
> being used in the old smurf attack (a DoS that sends ICMP packets to a
> target networks network address and floods both connections). When I was
> placed in this position being a good little security admin one of the first
> things I did was take a look at our router configs and added a NO IP
> DIRECTED BROADCASTS which I believe is standard on latest router configs.
> The problem was that smurfs were still working. I eventually discoverd that
> this was because the router was looking at the netwok address of our class B
> and not the subnets we had broken it into. So I added some access lists
> blocking .0's and 255's going both ways (to be good net neighbors) and all
> was well with the universe. I have not seen this attack in about 2 years.
> Recently we had a user who's broadband provider assigned him a .0 address
> and of course none of his packets were making it back to him. He's having
> difficulty getting the IP to release and get another one.
> My boss is claiming that other Universities don't do this and I'm wondering
> how true it is and if I have to drop the filter what a good solution may be.
I do block addresses ending in .0 and .255, but only inbound. I figure I can
impose the restriction against using .0 and .255 locally, but not necessarily
in the rest of the world. I do recall running into an instance of a .0 or
.255 address being used externally; it's possible I relaxed my filters somewhat
upon that discovery.
Doug Nelson nelson at msu.edu
Network Manager Ph: (517) 353-2980
Michigan State University
More information about the unisog