RE: Reporting Little Blue Men
That would make you one of the (few) Good Guys! Dave Van Allen -----Original Message----- From: Eric Wieling [mailto:eric@ccti.net] Sent: Wednesday, January 21, 1998 4:34 PM To: nanog@merit.edu Subject: Re: Reporting Little Blue Men On Tue, Jan 20, 1998 at 07:50:16PM -0500, Dave Van Allen wrote:
Start by making sure your RAS users and direct customers (your network's edge) can only output packets that contain their valid source address. If everyone did this, all of the world's problems would go away; Ozone depletion, world hunger, that silly rain forest thing, Smurfs and DoS and maybe even Microsoft! :-)
We prevent ANY packets to or from our network with a broadcast address. We don't filter on a per-machine basis for address spoofing, but ALL packets leaving our network must have a valid address on our network. Basically, one user on our network can spoof another user on our network, but no users can spoof addresses that are not on our network. --Eric -- Eric Wieling (eric@ccti.net), Chesapeake Communications Corporation Sales: sales@ccti.net 504-585-1850, Support: support@ccti.net 504-535-5449 We have changed our name! Corporate Communications Technology is now known as Chesapeake Communications Corporation.
How do you prevent packets from your network with a broadcast address, since what defines a "broadcast" address really depends on the subnet mask? eric
We prevent ANY packets to or from our network with a broadcast address. We don't filter on a per-machine basis for address spoofing, but ALL packets leaving our network must have a valid address on our network. Basically, one user on our network can spoof another user on our network, but no users can spoof addresses that are not on our network.
--Eric -- Eric Wieling (eric@ccti.net), Chesapeake Communications Corporation Sales: sales@ccti.net 504-585-1850, Support: support@ccti.net 504-535-5449
We have changed our name! Corporate Communications Technology is now known as Chesapeake Communications Corporation.
At 10:55 PM 1/21/98 -0500, Eric Osborne wrote:
How do you prevent packets from your network with a broadcast address, since what defines a "broadcast" address really depends on the subnet mask?
Filter all the blue wavelengths on your FDDI and OC3 interfaces. ************************************************************** Justin W. Newton voice: +1-650-482-2840 Senior Network Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net Legislative and Policy Director, ISP/C http://www.ispc.org "The People You Know. The People You Trust." **************************************************************
At 10:55 PM 1/21/98 -0500, Eric Osborne wrote:
How do you prevent packets from your network with a broadcast address, since what defines a "broadcast" address really depends on the subnet mask?
"no ip directed-broadcast" - paul
Yeah, but the original post said something along the lines of "any packets to or from my network to a broadcast address". It's not the "to" part of that which is a problem, but the "from" - as you know, x.y.z.3 can be a host or a broadcast address (if it's a /30 mask). In other words, I can't prevent my customers from sending packets to a broadcast address, esp. on a subnet smaller than /24. You might be able to block outgoing packets for destination x.y.z.255, but if you've got a mask >/24 (/23, etc..), couldn't .255 be a valid host address? Just being picky, I suppose.... eric
At 10:55 PM 1/21/98 -0500, Eric Osborne wrote:
How do you prevent packets from your network with a broadcast address, since what defines a "broadcast" address really depends on the subnet mask?
"no ip directed-broadcast"
- paul
At 11:41 AM 1/22/98 -0500, Eric Osborne wrote:
In other words, I can't prevent my customers from sending packets to a broadcast address, esp. on a subnet smaller than /24. You might be able to block outgoing packets for destination x.y.z.255, but if you've got a mask >/24 (/23, etc..), couldn't .255 be a valid host address?
Yes, it could be, actually. I tried to use it as WAN pool address once though and it horrendously confused the RAS, as well as several UNIX boxen on the network. ************************************************************** Justin W. Newton voice: +1-650-482-2840 Senior Network Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net Legislative and Policy Director, ISP/C http://www.ispc.org "The People You Know. The People You Trust." **************************************************************
On Thu, Jan 22, 1998 at 10:21:46AM -0800, Justin W. Newton wrote:
At 11:41 AM 1/22/98 -0500, Eric Osborne wrote:
In other words, I can't prevent my customers from sending packets to a broadcast address, esp. on a subnet smaller than /24. You might be able to block outgoing packets for destination x.y.z.255, but if you've got a mask >/24 (/23, etc..), couldn't .255 be a valid host address?
Yes, it could be, actually. I tried to use it as WAN pool address once though and it horrendously confused the RAS, as well as several UNIX boxen on the network.
Yes, it could be, but let's remember; isn't the smurf attack the one that _depends_ on a forged _source_ IP address in order to "work"? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff Unsolicited Commercial Emailers Sued The Suncoast Freenet "Two words: Darth Doogie." -- Jason Colby, Tampa Bay, Florida on alt.fan.heinlein +1 813 790 7592
At 07:09 PM 1/22/98 -0500, Jay R. Ashworth wrote:
Yes, it could be, but let's remember; isn't the smurf attack the one that _depends_ on a forged _source_ IP address in order to "work"?
And, as an aside, the draft-ferguson-ingress-filtering-03.txt draft has been advanced by the IESG to published as an Informational RFC. Please go beat people over the head with it, when it is published. Thank you for your attention, - paul
On Thu, Jan 22, 1998 at 11:33:44PM -0500, Paul Ferguson wrote:
At 07:09 PM 1/22/98 -0500, Jay R. Ashworth wrote:
Yes, it could be, but let's remember; isn't the smurf attack the one that _depends_ on a forged _source_ IP address in order to "work"?
And, as an aside, the draft-ferguson-ingress-filtering-03.txt draft has been advanced by the IESG to published as an Informational RFC.
Please go beat people over the head with it, when it is published.
Thank you for your attention,
- paul
We already do source filtering for the majority of our connection customers; the exceptions are those on full DS1s who have announcement capability (even if they're not using it). This *includes*, by the way, our dial customers..... Its not impossible, but does require a bit of work. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly to FULL DS-3 Service | NEW! K56Flex support on ALL modems Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost
At 08:21 AM 1/23/98 -0600, Karl Denninger wrote:
We already do source filtering for the majority of our connection customers; the exceptions are those on full DS1s who have announcement capability (even if they're not using it).
This *includes*, by the way, our dial customers..... Its not impossible, but does require a bit of work.
So this means that you filter anyone who writes you small checks but not people who write you large checks? Funny, we just filter everyone. ************************************************************** Justin W. Newton voice: +1-650-482-2840 Senior Network Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net Legislative and Policy Director, ISP/C http://www.ispc.org "The People You Know. The People You Trust." **************************************************************
At 02:23 PM 1/23/98 PST, Randy Bush wrote:
we just filter everyone.
cool. btw, how are you filtering sprintlink announcements?
Sorry, I meant we just filter all of our customers. Still working on peer and transit filters. ************************************************************** Justin W. Newton voice: +1-650-482-2840 Senior Network Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net Legislative and Policy Director, ISP/C http://www.ispc.org "The People You Know. The People You Trust." **************************************************************
participants (7)
-
Dave Van Allen
-
Eric Osborne
-
Jay R. Ashworth
-
Justin W. Newton
-
Karl Denninger
-
Paul Ferguson
-
Randy Bush