Firewall Wizards mailing list archives

Re: Re[2]: Smurfs and fraggles

From: "Ryan Russell" <Ryan.Russell () sybase com>
Date: Thu, 11 Feb 1999 14:02:17 -0800

I realize that my filter won't prevent me from getting attacked but it

will at

least prevent me from being an amplifier.  Based on my understanding I

don't see

as there is a way to prevent from being attacked unless I can somehow

monitor

the rate of incoming ICMP packets and if there's some sudden spike from a
certain IP address or addresses automatically filter them out.  That seems

like

a fair amount of intelligence and programming to put into a router or

firewall.

Nah, setting thresholds and taking some action is something that many IDS
systems, and some firewalls can do.  The problem is (for most people) that
by the time tre traffic reaches some device you control, the damage is
done.
I.e. you can filter it at your access router, but your T1 is full.  The
attacker
has to find a site with more bandwidth than you to bounce off of.

Usually, most people want to detect smurf attacks so they can call
the admin of the relay site and ask them to fix their config.

                              Ryan

Current thread:

Re: Smurfs and fraggles, (continued)
- - Re: Smurfs and fraggles Barrett G. Lyon (Feb 10)
  - Re: Smurfs and fraggles Arnd Vehling (Feb 10)
    - Re: Smurfs and fraggles Ted Doty (Feb 11)
  - Re: Re[2]: Smurfs and fraggles Dani Arbel (Feb 11)
- Re: Smurfs and fraggles Robert Graham (Feb 10)
- RE: Smurfs and fraggles John McDonald (Feb 10)
- Re[2]: Smurfs and fraggles dcostello (Feb 11)
  - Re: Smurfs and fraggles Bennett Todd (Feb 11)
    - Re: Smurfs and fraggles Laurent LEVIER (Feb 12)
    - Re: Smurfs and fraggles Bennett Todd (Feb 17)
- Re: Re[2]: Smurfs and fraggles Ryan Russell (Feb 11)