Security Incidents mailing list archives
RE: ICMP/SYN Flood
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 22 May 2003 14:47:23 -0700
-----Original Message----- From: Muhammad Naseer Bhatti [mailto:mail-lists () digitallinx com] And the list goes on .. The question I want to ask here, is the network/router poorly configured at my NOC which is allowing broadcasts/networks to pass through it? If so, how can I assist them to fix it? I am not a Cisco guru, so might need someone to give me some hints so that I can pass that to the poor NOC techs.
Briefly, NO. (I'm going to suggest a possibility further down this message, but I wouldn't characterise its current behaviour as "poorly configured" -- it's pretty normal.) The definitions of broadcast and network addresses depend upon where the split is between the network and host portions of the address, which is pretty much private to the source network. (You can often make an educated guess by looking at routing tables from one hop away. Beyond that, you don't really know.) MOST net blocks these days are smaller than a Class B, so addresses in which the last two octets are ".0.0" are *likely* to be network addresses. Your NOC guys *could* block those in an access list by wildcarding the first two octets (e.g., wildcard mask = 255.255.0.0). The risk that this would block any legitimate user is very tiny. It won't block all of your attackers, but it looks from your list like it might be enough to make a difference. David Gillett ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
Current thread:
- ICMP/SYN Flood Muhammad Naseer Bhatti (May 22)
- RE: ICMP/SYN Flood David Gillett (May 23)
- Re: ICMP/SYN Flood Sebastian Jaenicke (May 23)
- Re: ICMP/SYN Flood CTA (May 23)
- Re: ICMP/SYN Flood Dr J (May 23)
- <Possible follow-ups>
- Re: ICMP/SYN Flood Muhammad Naseer Bhatti (May 23)
- RE: ICMP/SYN Flood Whiteside, Larry [contractor] (May 23)