On Mon, 30 Nov 1998, Dan Hollis wrote:
On Mon, 30 Nov 1998, Brandon Ross wrote:
1Cust76.tnt1.sfo2.da.
Id say that looks like uunet. Again. Sigh.
UUnet uses ascend TNT's which they claim you cant filter directed-broadcast on. Ive ranted at them since October 20 to get this serious security hole closed.
I've been yelling at them about that as well as not being able or willing to reverse trace spoof attacks. This attack, however, would not have been stopped by such filters, this is just the address that someone used to break into a server with. Thanks for your help. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
1Cust76.tnt1.sfo2.da.
Id say that looks like uunet. Again. Sigh.
UUnet uses ascend TNT's which they claim you cant filter directed-broadcast on. Ive ranted at them since October 20 to get this serious security hole closed. If they can't turn this off on ascend access server, they anyway can filter out broadcast addresses in their border routers (CISCO's) forwarding traffic to this access servers. The result is (almost) the same.
I've been yelling at them about that as well as not being able or willing to reverse trace spoof attacks. This attack, however, would not have been stopped by such filters, this is just the address that someone used to break into a server with.
Thanks for your help.
Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442
Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
On Tue, 1 Dec 1998, Alex P. Rudnev wrote:
UUnet uses ascend TNT's which they claim you cant filter directed-broadcast on. Ive ranted at them since October 20 to get this serious security hole closed. If they can't turn this off on ascend access server, they anyway can filter out broadcast addresses in their border routers (CISCO's) forwarding traffic to this access servers. The result is (almost) the same.
Filtering broadcast addresses is pretty ugly. Consider that a single Class C broken down into /30's can have 64 broadcast addresses. Maybe if it was just filtering your own assigned subnets, it would be possible, but this also applies to customer-subnetted broadcast addresses, so you'd have to coordinate your filter with every one of your customers, every time they change subnets. Not impossible, but pretty close. Pete.
Who is willing to write a tool to do broadcast address discovery and access-list generation? Ideally with a config file that would allow one to avoid serious self smurfing (ie, ranges to check and patterns to assume are broadcasts without trying them).
Filtering broadcast addresses is pretty ugly. Consider that a single Class C broken down into /30's can have 64 broadcast addresses. Maybe if it was just filtering your own assigned subnets, it would be possible, but this also applies to customer-subnetted broadcast addresses, so you'd have to coordinate your filter with every one of your customers, every time they change subnets. Not impossible, but pretty close.
At 12:29 PM 12/1/98 -0700, Pete Kruckenberg wrote:
On Tue, 1 Dec 1998, Alex P. Rudnev wrote:
UUnet uses ascend TNT's which they claim you cant filter directed-broadcast on. Ive ranted at them since October 20 to get this serious security hole closed. If they can't turn this off on ascend access server, they anyway can filter out broadcast addresses in their border routers (CISCO's) forwarding traffic to this access servers. The result is (almost) the same.
Filtering broadcast addresses is pretty ugly. Consider that a single Class C broken down into /30's can have 64 broadcast addresses. Maybe if it was just filtering your own assigned subnets, it would be possible, but this also applies to customer-subnetted broadcast addresses, so you'd have to coordinate your filter with every one of your customers, every time they change subnets. Not impossible, but pretty close.
IFF they *only* sub-net into /30's and not have irreguilar sub-nets below that. The best I can think of is to just cover your own subnets and let your down-stream worry about theirs. Otherwise, it's no do-able, like you said. ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: staff<http://www.mhsc.com/~rmeyer>.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com ___________________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
participants (5)
-
Alex P. Rudnev -
Brandon Ross -
jzeeff@verio.net -
Pete Kruckenberg -
Roeland M.J. Meyer