mailing list archives
Re: RLBM (un"protection" meathod)
From: "Sam Birch" <birchsw () i1 net>
Date: Thu, 22 Jan 1998 22:14:57 -0600
From: Paul Ferguson <ferguson () cisco com>
To: Eric Osborne <osborne () notcom com>
Cc: Dave Van Allen <dave () fast net>; eric () ccti net <eric () ccti net>;
nanog () merit edu <nanog () merit edu>
Date: Thursday, January 22, 1998 11:00 AM
Subject: Re: Reporting Little Blue Men
At 10:55 PM 1/21/98 -0500, Eric Osborne wrote:
How do you prevent packets from your network with a broadcast address,
what defines a "broadcast" address really depends on the subnet mask?
"no ip directed-broadcast"
That directive on the router will only protect the network of the router
interface it is put on. For example, if I have:
ip address X.Y.Z.1 255.255.255.0
no ip directed-broadcast
"ONLY" X.Y.Z.0 will be protected from someone trying to use "ping X.Y.Z.255"
as a bounce site. No other networks beyond the one I have defined with my
subnet mask will be protected. The reason I know this is because I was
hoping this directive would be an easy fix...but when I checked it out, the
hole in my logic became apparent. If anyone has experienced different, I
would be interested in hearing the IOS used and the setup of the router.
The "no ip directed-broadcast" directive, if applied to all router
interfaces, will prevent your site from being a bounce site in the smurf
attack. Unfortunately, it will not prevent you from being the end victim.
The only way I can think of to stop your site from being a victim is to do
one of two things: 1) block all ICMP (type 8, in particular) or 2) Have some
type of firewall device that keeps track of all ICMP requests coming from
your site with the intent to block any ICMP responses that do not match a
request. Option 1 is not possible for most, and I currently don't know of a
proxy/firewall/etc... that will track ICMP in this way. If anyone does,
please let me know!
- Re: RLBM (un"protection" meathod) Sam Birch (Jan 23)