Security Incidents mailing list archives
Re: What am I seeing?
From: "'Bill Scherr IV, GCIA'" <bschnzl () bigfoot com>
Date: Thu, 25 Oct 2001 11:24:35 -0400
Folks... Fraggle or smurf or cookie monster. Proper Ingress/Egress filtering http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables. multi and Router configuration (Router (config-subif)# no ip directed-broadcast) http://www.cisco.com/warp/public/707/22.html will make this a non-issue. obsid's script has an excellent list of IANA reserved nets! It also blocks the RFC 1918 stuff and directed/limited broadcasts. The point here is that no matter how you do it, put the proper filters in place. (ISPs too!) DoS defense depends on ALL of us! On 23 Oct 2001, at 13:35, Richard.Smith () predictive com wrote:
A fraggle attack is not an ICMP based attack. It is UDP based. Nevertheless, you should be filtering all reserved and RFC 1918 networks at your borders. This would prevent UDP ECHO's from ever reaching your internal hosts. The intent of the attacker seems to be to bring down your /24 not any other external site. So they might redirect their attack at your router if you filter their spoofed network. Then their attack might not be as effective since it won't be amplified by your internal hosts, but it might be annoying. If you have filtered their bogus source (0.0.0.0) and they continue to barrage your router you have no choice but to work with your upstream provider and track the source via ASN as Valdis mentioned below. If you need info on filtering the reserved and/or RFC 1918 networks or hardening Cisco routers in general a good white paper is Bastion Routers and you can find it on Phrack. http://www.phrack.org/show.php?p=55&a=10 Richard S Smith Sr Information Security Analyst Global Integrity a Division of Predictive Systems Valdis.Kletnieks () vt edu 10/23/2001 12:29 PM To: jkruser <jkruser () adelphia net> cc: incidents () securityfocus com, focus-ids () securityfocus com Subject: Re: What am I seeing? On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:problem is...looks like, to me, that it is not coming fromoutside...thusthe ingress filtering will not stop it. Or am I missing something?79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1The trick here is to remember that ingress filtering will *not* stop these packets (as you noted, they originate inside the filter). What you need to do is find the packet that's being sent IN that's causing these replies, and ingress filter THAT. This is similar to stopping SMURF attacks (which consist of streams of ICMP Echo Reply packets) by configuring your routers to Do The Right Thing(*) with ICMP Echo *Request* packets.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech (*) The Right Thing is documented in RFC2644 "Changing the Default for Directed Broadcast in Routers". To summarize - routers should drop packets going to a subnet's broadcast address by default, and it should only be enabled if you know what you're doing....
Bill Scherr IV, GCIA Electronic Warfare Associates / IIT Lafayette RTI, Camp Johnson Colchester, VT 05446 802-338-3213 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- What am I seeing? jkruser (Oct 23)
- <Possible follow-ups>
- RE: What am I seeing? Rob Keown (Oct 23)
- RE: What am I seeing? jkruser (Oct 23)
- Re: What am I seeing? Mike Lewinski (Oct 23)
- Re: What am I seeing? Valdis . Kletnieks (Oct 23)
- RE: What am I seeing? jkruser (Oct 23)
- Re: What am I seeing? Bill_Royds (Oct 23)
- Re: What am I seeing? Richard . Smith (Oct 23)
- Re: What am I seeing? 'Bill Scherr IV, GCIA' (Oct 25)