Firewall Wizards mailing list archives
Re[2]: Smurfs and fraggles
From: dcostello () cmol com
Date: Thu, 11 Feb 99 11:37:53 -0500
I realize that my filter won't prevent me from getting attacked but it will at least prevent me from being an amplifier. Based on my understanding I don't see as there is a way to prevent from being attacked unless I can somehow monitor the rate of incoming ICMP packets and if there's some sudden spike from a certain IP address or addresses automatically filter them out. That seems like a fair amount of intelligence and programming to put into a router or firewall. ____________________Reply Separator____________________ Subject: Re: Smurfs and fraggles Author: Ted Doty <ted () iss net> Date: 2/11/99 11:09 AM At 08:54 PM 2/10/99 +0100, Arnd Vehling wrote:
Hello,If I understand this correctly would a simple solution be to filter all incomming broadcasts? Would it just be a matter of setting up a filter
on the
router to drop all incomming packets with a destination address of xxx.xxx.xxx.255 where xxx.xxx.xxx is my network address?If you are using /24 network (formerly know as Class-C) this is right.
This is the correct method to protect the rest of the 'net (i.e. being a good net.citizen). Unfortunately, it won't help YOUR network. If I want to smurf you, I find a target that accepts incoming broadcasts (check the net for websites listing these places - the Bugtraq archives lists at least one I can remember). Then I build a nice, big (say, 1000 byte) echo request using your address as the source and send it to the target. You get extra credit if you find a site that has a T3 feed. At this point, 10000 hosts from the target send you a 1000 byte reply. There are no boradcast addresses in any of these packets, so your filter won't stop anything. Sorry. Your filter is The Right Thing to do, but everyone needs to do it, and everyone doesn't. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Smurfs and fraggles dcostello (Feb 09)
- <Possible follow-ups>
- Re: Smurfs and fraggles Rick Murphy (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 10)
- Re: Smurfs and fraggles Barrett G. Lyon (Feb 10)
- Re: Smurfs and fraggles Arnd Vehling (Feb 10)
- Re: Smurfs and fraggles Ted Doty (Feb 11)
- Re: Re[2]: Smurfs and fraggles Dani Arbel (Feb 11)
- Re: Smurfs and fraggles Robert Graham (Feb 10)
- RE: Smurfs and fraggles John McDonald (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 11)
- Re: Smurfs and fraggles Bennett Todd (Feb 11)
- Re: Smurfs and fraggles Laurent LEVIER (Feb 12)
- Re: Smurfs and fraggles Bennett Todd (Feb 17)
- Re: Smurfs and fraggles Bennett Todd (Feb 11)
- Re: Re[2]: Smurfs and fraggles Ryan Russell (Feb 11)