[CISCO] directed-broadcast, ip classless
In case others are engaged in lobbying with cisco, here are my case numbers with the cisco TAC on this topic: ----------------------------------------------------- CASE: H87031 OPENED: 05-AUG-97 DESCRIPTION: turn off IP packet directed broadcast by default ----------------------------------------------------- CASE: H87037 OPENED: 05-AUG-97 DESCRIPTION: make "ip classless" default for ISP IOS images ----------------------------------------------------- The "ip classless" is important since various folks have chunks of former class A address space but do not have the entire former class A. For example, @Home has a small slice of 24.x.x.x, but several other providers are also in 24.x.x.x. Ran rja@home.net
----------------------------------------------------- CASE: H87031 OPENED: 05-AUG-97 DESCRIPTION: turn off IP packet directed broadcast by default ----------------------------------------------------- CASE: H87037 OPENED: 05-AUG-97 DESCRIPTION: make "ip classless" default for ISP IOS images -----------------------------------------------------
I agree with both, but thankfully they're both easy fixes. Josh Beck jbeck@connectnet.com ---------------------------------------------------------------------- CONNECTNet INS, Inc. Phone: (619)450-0254 Fax: (619)450-3216 6370 Lusk Blvd., Suite F-208 San Diego, CA 92121 ----------------------------------------------------------------------
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
Ping floods are quite possibly the single most common form of attempted denial of service attacks. If someone is ping flooding you, plug a sniffer into the the ethernet and take a look at the where they're coming from. Or, if you know what host on your network is under attack, a simple netstat will show you the open connections at that time. If you're lucky, it's just some clueless person doing a ping -f or similar. Or, you're being attacked by the smurf.c program (or similar) that forges icmp packets with your source address to broadcast addresses and then you get flooded by the replies. I'd just go to a few of your machines and do a netstat on them, then dump the data to a file and see if you can see where all the ICMP packets are coming from. When you find out, it's time to get on the horn and talk to the Administrative and Technical contact for the domain. Also, it might not be a bad idea to deny ICMP at your router. This can be done by adding a line like this to your cisco access-list: access-list 101 permit icmp any host 204.253.208.20 access-list 101 permit icmp any host 204.253.208.10 access-list 101 deny icmp any 204.253.208.0 0.0.0.255 access-list 101 permit ip any any the permit lines allow people from the outside (or whatever other interface(s) we apply this access list to) to still ping some sites. All icmp traffic to others is denied. I don't mean to insult your intelligence if you already knew this, but I figured if you didn't know it, you might want to. And, we haven't experienced any ping flood recently that I can think of (the access-list did help). Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services
Joe, Thanks...how if someone ping attacks the web server and then spoofs the IP address of the web server to attack someone else. We had that happened and we did use a sniffer and got tons of information from it, but the IP addresses that we were there were from other places(like schools, other ISP, etc..etc..)...the person probrably ping the broadcast address of some other sites and got valid addresses and then ping attacked us. Have you recently experienced this???? we're trying to track down the person, but its very difficult...any ideas... On Fri, 15 Aug 1997, Joe Shaw wrote:
On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
Ping floods are quite possibly the single most common form of attempted denial of service attacks. If someone is ping flooding you, plug a sniffer into the the ethernet and take a look at the where they're coming from. Or, if you know what host on your network is under attack, a simple netstat will show you the open connections at that time. If you're lucky, it's just some clueless person doing a ping -f or similar. Or, you're being attacked by the smurf.c program (or similar) that forges icmp packets with your source address to broadcast addresses and then you get flooded by the replies. I'd just go to a few of your machines and do a netstat on them, then dump the data to a file and see if you can see where all the ICMP packets are coming from. When you find out, it's time to get on the horn and talk to the Administrative and Technical contact for the domain. Also, it might not be a bad idea to deny ICMP at your router. This can be done by adding a line like this to your cisco access-list:
access-list 101 permit icmp any host 204.253.208.20 access-list 101 permit icmp any host 204.253.208.10 access-list 101 deny icmp any 204.253.208.0 0.0.0.255 access-list 101 permit ip any any
the permit lines allow people from the outside (or whatever other interface(s) we apply this access list to) to still ping some sites. All icmp traffic to others is denied.
I don't mean to insult your intelligence if you already knew this, but I figured if you didn't know it, you might want to. And, we haven't experienced any ping flood recently that I can think of (the access-list did help).
Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
flooded by the replies. I'd just go to a few of your machines and do a netstat on them, then dump the data to a file and see if you can see where all the ICMP packets are coming from. When you find out, it's time to get
And just how do you identify the source of the ICMP packets when the source address is forged? All too often when a customer calls to report this sort of problem to their upstream provider, the source of the traffic is traced to the shared media at an IXP and this, only after some laborious effort by the NOC staff of the upstream network provider. It is really hard to trace ICMP floods past the IXP shared media. I'm not sure what can be done to make this easier but I have a few ideas. IMHO this is an important problem to solve because ICMP does some useful things so that most of us don't want to simply turn it off in our networks entirely. But we do need some tools and/or knobs in the routers to help us track down the source of these floods quickly and effortlessly. One idea that I've had would be to have a tool which can poll your routers for SNMP stats on ICMP traffic and analyze them based on normal ICMP traffic levels to detect where an unusually large number of ICMP packets are entering your network. This probably needs some assisitance from the researchers who study traffic stats to determine the baseline for what is normal, or perhaps to tell us that there is no absolute baseline and we need a tool to analyze our networks specifically to dynamically determine the baseline. This also assumes that ping floods are aberrant events, i.e. they do not occur so often that they appear to be the normal state of affairs. And it also assumes that during a ping flood attack even if the source addresses are spoofed, nevertheless the stream of packets all follow the same route and all originate on the same LAN. Obviously, any solution to tracking these attacks will require a certain level of cooperation from all providers but I think it is in all our best interests to work on this because in the end it will save us from a lot of headaches and help all of us in our customer relationships. ******************************************************** Michael Dillon voice: +1-650-482-2840 Senior Systems Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." ********************************************************
Michael Dillon writes:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
flooded by the replies. I'd just go to a few of your machines and do a netstat on them, then dump the data to a file and see if you can see where all the ICMP packets are coming from. When you find out, it's time to get
And just how do you identify the source of the ICMP packets when the source address is forged?
Trace it back, painfully, hop by hop by hop.
I'm not sure what can be done to make this easier but I have a few ideas.
I have some too, but this isn't really the forum... Perry
One idea that I've had would be to have a tool which can poll your routers for SNMP stats on ICMP traffic and analyze them based on normal ICMP traffic levels to detect where an unusually large number of ICMP packets are entering your network. This probably needs some assisitance from the researchers who study traffic stats to determine the baseline for what is normal, or perhaps to tell us that there is no absolute baseline and we need a tool to analyze our networks specifically to dynamically determine the baseline. This also assumes that ping floods are aberrant events, i.e. they do not occur so often that they appear to be the normal state of affairs. And it also assumes that during a ping flood attack even if the source addresses are spoofed, nevertheless the stream of packets all follow the same route and all originate on the same LAN.
I think it's critical that routers be capable of logging the hardware addresses of ICMP, along with source addresses, so that these attacks can be traced across shared media at exchanges. As it is now, it's hard enough to trace it back across a backbone, but if it crosses a MAE, it's perfectly anonymous unless new techniques are around that we aren't aware of. Josh Beck jbeck@connectnet.com ---------------------------------------------------------------------- CONNECTNet INS, Inc. Phone: (619)450-0254 Fax: (619)450-3216 6370 Lusk Blvd., Suite F-208 San Diego, CA 92121 ----------------------------------------------------------------------
Josh Beck writes:
I think it's critical that routers be capable of logging the hardware addresses of ICMP, along with source addresses, so that these attacks can be traced across shared media at exchanges.
ICMP is only one of a dozen ways to attack people. There is no point in specially targetting ICMP. Unfortunately, it is, in practice, impossible to log ALL the traffic across a very busy router at an exchange point. In my opinion, the only long term solution here is software that is "smart" about tracebacks -- that is, can be directed in real time to log certain classes of traffic. Perry
ICMP is only one of a dozen ways to attack people. There is no point in specially targetting ICMP.
Of course... so you have the capability to turn on logging for certain protocols or interfaces or whatever for a short time. If someone is seeing random source addresses ICMP packets for instance, a 20 second sample of a busy interface can provide enough information to trace this (with hardware addresses). And this is something that can be done right away.
In my opinion, the only long term solution here is software that is "smart" about tracebacks -- that is, can be directed in real time to log certain classes of traffic.
It would be nice, but for now logging the hardware addresses along with the ip addresses would be cool. Josh Beck jbeck@connectnet.com ---------------------------------------------------------------------- CONNECTNet INS, Inc. Phone: (619)450-0254 Fax: (619)450-3216 6370 Lusk Blvd., Suite F-208 San Diego, CA 92121 ----------------------------------------------------------------------
On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
No but we were hit with tons of UDP traffic that was chewing up DS3s worth of bandwidth mostly coming from MAE-East and partially from Pennsauken Alex
Yes. It was interesting. My understanding is that what I am about to tell you is old news, but here: Attacker sends a packet with a source address of the victim, with a dest address to the broadcast of a (pick any) network. Every machine on the network will then respond with a ICMP reply to the 'source' (the victim). My understanding is that a 28.8 users could easily fill a T1 (or more) with this method. We have no proof, but someone did this to us from what appears to be a ISDN account from PSI, and filled 6 - 7 mb/s of our Ethernet genuity connection in doing so. It was *not* cool. On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
Does anyone have any ideas from where its coming from???? We have had no luck with this at all???? On Fri, 15 Aug 1997, Alex Rubenstein wrote:
Yes. It was interesting. My understanding is that what I am about to tell you is old news, but here:
Attacker sends a packet with a source address of the victim, with a dest address to the broadcast of a (pick any) network. Every machine on the network will then respond with a ICMP reply to the 'source' (the victim).
My understanding is that a 28.8 users could easily fill a T1 (or more) with this method. We have no proof, but someone did this to us from what appears to be a ISDN account from PSI, and filled 6 - 7 mb/s of our Ethernet genuity connection in doing so. It was *not* cool.
On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
On Fri, 15 Aug 1997, Network Admin Account wrote: =) =)Has anyone been resently attacked by massive flood pings?????? We are =)trying to locate any other ISP's or anyone else having the same problem. We seem to get it all the time on the venus, earth, mercury.GAIANET.NET machines. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
participants (9)
-
Alex "Mr. Worf" Yuriev
-
Alex Rubenstein
-
Joe Shaw
-
Josh Beck
-
Michael Dillon
-
Network Admin Account
-
Perry E. Metzger
-
rja@corp.home.net
-
Vincent Poy