From owner-freebsd-security Mon Jun 24 06:48:48 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA21730 for security-outgoing; Mon, 24 Jun 1996 06:48:48 -0700 (PDT) Received: from horst.bfd.com (horst.bfd.com [204.160.242.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA21725 for ; Mon, 24 Jun 1996 06:48:46 -0700 (PDT) Received: from harlie.bfd.com (bastion.bfd.com [204.160.242.2]) by horst.bfd.com (8.7.5/8.7.3) with SMTP id GAA13631; Mon, 24 Jun 1996 06:48:41 -0700 (PDT) Date: Mon, 24 Jun 1996 06:48:42 -0700 (PDT) From: "Eric J. Schwertfeger" To: "Jordan K. Hubbard" cc: Guido van Rooij , security@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <10326.835597770@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > Do you have anti-spoof filter rules in your backbone router? If not > > install them. If so, please add packets coming in from localhost > > How do you install such things on a cisco 2500? :-) Seriously, if > there's a way then I can get someone from cisco to help me out, but I > first need to know that it's even a reasonable request. Very simply, considering what most people refer to as anti-spoof filters are filters that make sure internal addresses aren't coming in on an external interface. On our 2500, the very first incoming rule on the serial port that goes to our T1 is "deny anything that has a source address within our class C address." Now I get to add 127.0.0.0 :-) This way, if we see an address on the internal networks that has our Class C address (or our 192.168.X.X addresses), we know it was generated internally, so if it is a hack attempt, we've already been breeched. If there are better anti-spoofing filters, I'm not aware of them, and will gladly listen. If you need any more help than the explanation (If you know Cisco filtering rules, the rest is simple), feel free to email me.