One of my customers is being smurfed right now. Filling a 10 Meg to UU Net. It is wonderful to know that everyone has 'no ip directed-broadcast'. It's *SO* easy to do!
On Fri, 13 Feb 1998, Alex Rubenstein wrote:
It is wonderful to know that everyone has 'no ip directed-broadcast'.
It's *SO* easy to do!
Hmmm, let's see... Bay Networks, Inc. and its Licensors. Copyright 1992, 1993, 1994, 1995, 1996, 1997. All rights reserved. Login: Manager Password: Mounting new volume... Device label: Directory: 1: New Present Working Directory: 1: Welcome to the Backbone Technician Interface [1:TN]$ conf t conf t: unknown command [1:TN]$ no ip directed-broadcast no ip directed-broadcast: unknown command It's all well and good that everyone knows backwards and forwards how to configure this sort of thing on a Cisco, but there are other vendors out there making routers too. What is trivial in IOS may turn out to be a real bitch on other equipment. From what I understand, Bay is working on getting a similar feature in 12.something, but what of Ascend, OpenRoute, and others making equipment that can handle big connections? Perhaps some of the folks on NANOG that use equipment other than Cisco would like to share how they "configure their router for that"? It would be a nice service to everyone... Charles
Perhaps some of the folks on NANOG that use equipment other than Cisco would like to share how they "configure their router for that"? It would be a nice service to everyone...
Charles
Your router packet-filters, right? I don't know the Bay config syntax, but a poor-man's version of "no ip directed-broadcast" is to disallow ICMP (or IP, if you have to do it that way) to the broadcast addresses on your network. Yeah, it's not perfect. Yeah, there are some problems with it. Yeah, it won't work terribly well if you break up CIDR blocks and hand them to customers who break them up and hand them to customers who break them up.... but it will work. Especially if you apply it as close to the customer side of things as possible. eric
On Fri, 13 Feb 1998, Charles Sprickman wrote: ==>It's all well and good that everyone knows backwards and forwards how to ==>configure this sort of thing on a Cisco, but there are other vendors out ==>there making routers too. What is trivial in IOS may turn out to be a ==>real bitch on other equipment. From what I understand, Bay is working on ==>getting a similar feature in 12.something, but what of Ascend, OpenRoute, ==>and others making equipment that can handle big connections? ==> ==>Perhaps some of the folks on NANOG that use equipment other than Cisco ==>would like to share how they "configure their router for that"? It would ==>be a nice service to everyone... http://www.quadrunner.com/~chuegen/smurf.txt It has Bay Networks and Proteon information, and I'm adding Ascend information as well within the next week. With Bay Networks, you must set a false static ARP for the broadcast address and then it will not send directed broadcasts. A Bay SE tells me that an option to disable directed broadcasts is being implemented and will be in a major release expected around April. With Ascend, you must filter traffic to the broadcast address. This page has been up since October and was mentioned in the CERT, bugtraq, etc., advisories as well as a lot of media articles on smurfing. Where've you been? =) /cah
On Fri, 13 Feb 1998 11:51:29 -0800 (PST) "Craig A. Huegen" <chuegen@quadrunner.com> wrote:
http://www.quadrunner.com/~chuegen/smurf.txt
With Bay Networks, you must set a false static ARP for the broadcast address and then it will not send directed broadcasts. A Bay SE tells me that an option to disable directed broadcasts is being implemented and will be in a major release expected around April.
The take the false static ARP concept a little further, I've been advised to use a fake adjacent host entry to accomplish this. A Bay SE sent this to me today : "In order to protect a directly connected network from being a smurf launch point, you can configure an Adjacent Host for the broadcast address (if the network is a /24 than the broadcast addresses would be x.x.x.0 and x.x.x.255) with a bogus MAC address. This will cause the smurf traffic to be sent to that bogus MAC address which result in NO ONE replying to the smurf." We originally were advised to use a blackhole static route, but that does not take precedence over a directly connected route in the route table. Kevin
The take the false static ARP concept a little further, I've been advised to use a fake adjacent host entry to accomplish this. A Bay SE sent this to me today :
"In order to protect a directly connected network from being a smurf launch point, you can configure an Adjacent Host for the broadcast address (if the network is a /24 than the broadcast addresses would be x.x.x.0 and x.x.x.255) with a bogus MAC address. This will cause the smurf traffic to be sent to that bogus MAC address which result in NO ONE replying to the smurf."
Doesn't the broadcast address for which the false entry is being made to break completely? (i.e. not just for the directed broadcast case) If so, guess that's not OK if the router needs to send broadcast packets on the LAN, as when it is running RIPv1! -Phil
Charles Sprickman wrote:
It's all well and good that everyone knows backwards and forwards how to configure this sort of thing on a Cisco, but there are other vendors out there making routers too. What is trivial in IOS may turn out to be a real bitch on other equipment.
* Bay Networks: <snip> A workaround is to set a false static ARP address in the router for the broadcast address of the LAN you wish to protect, or set a false static host route for the broadcast address. Haven't played with any Bay routers since before this paper was released, so I haven't tried it. Sounds like a reasonable solution, though. Just a quick FYI. Brian -- --=Please direct technical support questions to support@meganet.net =-- ======================================================================= Brian Wallingford voice: 508.646.0030 Network Operations Manager email: brian@meganet.net MEGANET COMMUNICATIONS, TCIX, Inc. http://www.meganet.net =======================================================================
Dear Randy, you must use this command on configuration mode. though I have not done yet, it is very likely to use under interface mode?! regards, tatsuya ------------------------------------------ かわさき = = = = = = 電話 03-3239-0607 fax 03-3239-2609 business network telecom http://www.giganet.net On Fri, 13 Feb 1998, Randy Bush wrote:
[1:TN]$ no ip directed-broadcast no ip directed-broadcast: unknown command
If it won't smurf block, whatever the syntax, try
[1:TN]$ rma
randy
you must use this command on configuration mode. though I have not done yet, it is very likely to use under interface mode?!
The rma command is best avoided as it causes network disruption. Try the appropriate alternative in purchase mode. -- Alex Bligh GX Networks (formerly Xara Networks)
participants (10)
-
Alex Bligh
-
Alex Rubenstein
-
Brian Wallingford
-
Charles Sprickman
-
Craig A. Huegen
-
Eric Osborne
-
Kevin Houle
-
Phillip Vandry
-
Randy Bush
-
Tatsuya Kawasaki