|
Security Incidents
mailing list archives
Re: What am I seeing?
From: "'Bill Scherr IV, GCIA'" <bschnzl () bigfoot com>
Date: Thu, 25 Oct 2001 11:24:35 -0400
Folks...
Fraggle or smurf or cookie monster. Proper Ingress/Egress filtering
http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.
multi
and Router configuration (Router (config-subif)# no ip directed-broadcast)
http://www.cisco.com/warp/public/707/22.html
will make this a non-issue. obsid's script has an excellent list of IANA
reserved nets! It also blocks the RFC 1918 stuff and directed/limited
broadcasts. The point here is that no matter how you do it, put the proper
filters in place. (ISPs too!) DoS defense depends on ALL of us!
On 23 Oct 2001, at 13:35, Richard.Smith () predictive com wrote:
A fraggle attack is not an ICMP based attack. It is UDP based.
Nevertheless, you should be filtering all reserved and RFC 1918 networks
at your borders. This would prevent UDP ECHO's from ever reaching your
internal hosts. The intent of the attacker seems to be to bring down your /24
not any other external site. So they might redirect their attack at your router
if you filter their spoofed network. Then their attack might not be as
effective since it won't be amplified by your internal hosts, but it might be
annoying. If you have filtered their bogus source (0.0.0.0) and they continue
to barrage your router you have no choice but to work with your upstream
provider and track the source via ASN as Valdis mentioned below.
If you need info on filtering the reserved and/or RFC 1918 networks or
hardening Cisco routers in general a good white paper is Bastion Routers
and you can find it on Phrack.
http://www.phrack.org/show.php?p=55&a=10
Richard S Smith
Sr Information Security Analyst
Global Integrity a Division of Predictive Systems
Valdis.Kletnieks () vt edu
10/23/2001 12:29 PM
To: jkruser <jkruser () adelphia net>
cc: incidents () securityfocus com, focus-ids () securityfocus com
Subject: Re: What am I seeing?
On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:
problem is...looks like, to me, that it is not coming from
outside...thus
the ingress filtering will not stop it. Or am I missing something?
79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1
The trick here is to remember that ingress filtering will *not* stop these
packets (as you noted, they originate inside the filter). What you need to do
is find the packet that's being sent IN that's causing these replies, and
ingress filter THAT.
This is similar to stopping SMURF attacks (which consist of streams of
ICMP Echo Reply packets) by configuring your routers to Do The Right
Thing(*) with ICMP Echo *Request* packets....
--
Valdis
Kletnieks
Operating
Systems Analyst
Virginia
Tech
(*) The Right Thing is documented in RFC2644 "Changing the Default for
Directed Broadcast in Routers". To summarize - routers should drop
packets going to a subnet's broadcast address by default, and it should
only be enabled if you know what you're doing....
Bill Scherr IV, GCIA
Electronic Warfare Associates / IIT
Lafayette RTI, Camp Johnson
Colchester, VT 05446
802-338-3213
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- RE: What am I seeing?, (continued)
|
Intro
