Re: [nsp] known networks for broadcast ping attacks
Alex Bligh writes: }Urm, 192.41.177.255 is the MAE-East LAN ?! Are you saying attacks are }being mounted from here or people are attacking this LAN (not }sure which is more worrying) If I'm interpreting the code comments correctly, what this silly "smurf" thing does is take a victim's IP address and generate an ICMP_ECHO_REQUEST with the victim's IP address as the source and an IP address from the array as the destination, and generate lots of such packets (per each destination). That way, the victim supposedly receives lots of ICMP_ECHO_REPLY packets - moreso than from, say, the 28.8kbps dialup line from which the attack is taking place. So basically this is just a simple DoS attack on bandwidth, supposedly multiplied by the fact that it uses broadcast addresses as the "proxy" attacker rather than unicast addresses. However, I don't know about everyone else, but my routers respond to such attempted directed-broadcast pings from their own unicast address, so it really isn't multiplying anything. And furthermore, if more people implemented source address filtering, it would be less of a problem - if it really is a problem at all. (And to answer the proverbial "how do I configure my router for that" in advance, the answer is that, at least on my boxes, the not-allowing- broadcast-pings-through-as-broadcasts-onto-the-target-media thing is on by default. Source address filtering, however, is not.) Jeff -- Jeffrey S. Curtis | Internetwork Manager Argonne National Laboratory | Email: curtis@anl.gov 9700 South Cass Avenue, ECT-221 | Voice: 630/252-1789 Argonne, IL 60439 | Fax: 630/252-9689
On Wed, 30 Jul 1997, Jeffrey S. Curtis wrote: ==>(And to answer the proverbial "how do I configure my router for that" ==>in advance, the answer is that, at least on my boxes, the not-allowing- ==>broadcast-pings-through-as-broadcasts-onto-the-target-media thing is on ==>by default. Source address filtering, however, is not.) For Ciscos, "no ip directed-broadcast" on your interfaces will prevent remote devices from sending directed broadcasts. No guarantees about applications it might break, though. /cah
On Wed, 30 Jul 1997, Craig A. Huegen wrote: ==>For Ciscos, "no ip directed-broadcast" on your interfaces will ==>prevent remote devices from sending directed broadcasts. No guarantees ==>about applications it might break, though. Clarification: This won't keep you from getting attacked. However, it will keep your network from receiving the ECHO and therefore you won't send ECHO_RESPONSE. /cah
this does work as you'd expect (it prevents the cisco from framing an IP broadcast packet into an ethernet broadcast frame) BUT unfortunately it can break Windows networking, as well as BOOTP/DHCP, depending on how you're set up. but if you're not using one of the above (routed), then by all means, 'no ip directed-broadcast' is an excellent way to go.. -- On Wed, Jul 30, 1997 at 02:52:14PM -0700, Craig A. Huegen said:
On Wed, 30 Jul 1997, Jeffrey S. Curtis wrote:
==>(And to answer the proverbial "how do I configure my router for that" ==>in advance, the answer is that, at least on my boxes, the not-allowing- ==>broadcast-pings-through-as-broadcasts-onto-the-target-media thing is on ==>by default. Source address filtering, however, is not.)
For Ciscos, "no ip directed-broadcast" on your interfaces will prevent remote devices from sending directed broadcasts. No guarantees about applications it might break, though.
/cah
Maybe, I'm not completely understanding this, but from my own testing, it seems to me that, when I do this without regard to ip directed broadcast, I get one response back from the closest interface, but perhaps they are using source routing or something to cause this? In message <19970730211625.11611@texas.net>, Edward Henigin writes:
this does work as you'd expect (it prevents the cisco from framing an IP broadcast packet into an ethernet broadcast frame) BUT unfortunately it can break Windows networking, as well as BOOTP/DHCP, depending on how you're set up.
but if you're not using one of the above (routed), then by all means, 'no ip directed-broadcast' is an excellent way to go..
-- On Wed, Jul 30, 1997 at 02:52:14PM -0700, Craig A. Huegen said:
On Wed, 30 Jul 1997, Jeffrey S. Curtis wrote:
==>(And to answer the proverbial "how do I configure my router for that" ==>in advance, the answer is that, at least on my boxes, the not-allowing- ==>broadcast-pings-through-as-broadcasts-onto-the-target-media thing is on ==>by default. Source address filtering, however, is not.)
For Ciscos, "no ip directed-broadcast" on your interfaces will prevent remote devices from sending directed broadcasts. No guarantees about applications it might break, though.
/cah
--- Jeremy Porter, Freeside Communications, Inc. jerry@fc.net PO BOX 80315 Austin, Tx 78708 | 1-800-968-8750 | 512-458-9810 http://www.fc.net
participants (4)
-
Craig A. Huegen
-
Edward Henigin
-
Jeffrey S. Curtis
-
Jeremy Porter