Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Phil Howard
  • Date: Sat Apr 18 16:45:05 1998

Dean Anderson writes...

> >> During an in progress attack, you probably have to take extreme measures,
> >Do you remember - it's not attack against you or attack by some of your
> >customer's networks used as amplifier, but the attack initiated from your
> >own network. You never note such thing withouth some permanent
> >measurement.
> 
> Oops. I misunderstood this first time round.  I don't think you can easily
> detect smurf initiations, because you have to guess at the broadcast
> address.
> 
> I think it is much easier to detect and block forged source addresses,
> which are also necessary for the hacker who is operating out of your
> network.

A combination of ...

1.  blocking outbound packets with sources not in your own networks

2.  blocking inbound packets addressed to broadcast addresses you know
    you have in your subnetting topology

3.  blocking inbound echo_request

4.  blocking outbound echo_reply

... would be a good start.  It breaks things like outsiders pinging your
network, but many find this an acceptable compromise.  I've done #1, #3
and #4 for over 4 years.  I plan to add #2 shortly, not only at the main
gateways, but also for all RADIUS based dialups, whether LAN or not.  I
already block outbound packets to port 25, except allow them to my mail
servers, for all but customers who run their own mail servers, via RADIUS,
for purposes of blocking spam relaying.  Of course that won't stop it all,
but it does stop most, including the naive.

I have no plans to block outbound packets to addresses ending in .255.

I'd love to be able to:

5.  block inbound packets with sources I have no routes for

6.  block inbound packets with sources that came in over an interface that
    such a source could not route to if it were a destination

-- 
Phil Howard | blow2me7@no4place.net a6b5c4d9@s1p0a0m4.net eat6this@noplace6.com
  phil      | stop5it8@spammer6.edu no9way48@dumbads1.net blow1me9@s0p0a9m2.edu
    at      | suck3it2@anywhere.net crash528@nowhere5.edu end7it11@lame7ads.com
  milepost  | stop6ads@no1where.org no59ads8@s6p5a1m6.org ads5suck@s8p8a3m8.edu
    dot     | no9way53@no37ads3.net eat25me5@s9p8a1m1.edu die8spam@spammer1.com
  com       | eat59me0@spammer5.org stop4181@dumbads9.net eat2this@spammer6.net




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.