[unisog] The old smurf attack and router filters

Gary Flynn flynngn at jmu.edu
Mon Dec 3 23:27:27 GMT 2001


We prevent others from using our broadcast addresses as amplifiers
for smurf attacks by blocking incoming packets destined for our
broadcast addresses. This, along with outgoing anti-spoof filters
is the basic configuration for any good netcitizen.

I don't think it is expected, nor realistic, to block outgoing
packets destined for classful broadcast addresses in this day
and age of CIDR addressing. Indeed, our own RESNET segments
contain students with .0 and .255 addresseses in this
configuration.

Trying to do so only prevents someone on your network from
initiating a smurf attack. While it is commendable to attempt,
as you've found, you also block access to legitimate users.
If someone on your network is performing mischief, whether
from a compromised system or their own, it is a much bigger
problem and blocking outgoing packets destined for old style
broadcast packets is a drop in the bucket as far as a 
preventive measure is concerned.

In other words, IMHO, you should remove the outgoing filters and
have a long and serious talk with any owners of boxes that
repeatedly get compromised.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list