Date: Thu, 12 Aug 1999 09:39:56 -0600 (MDT) From: Paul Hart <hart@iserver.com> To: Nick Rogness <nick@rapidnet.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw Message-ID: <Pine.BSF.3.96.990812092521.62924A-100000@anchovy.orem.iserver.com> In-Reply-To: <Pine.BSF.4.05.9908112204040.48871-100000@rapidnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Aug 1999, Nick Rogness wrote:
> > what rules should I add to my ipfw ruleset to block out icmp
> > floods and smurf attacts, etc thanks.
>
> For smurf attacks, I've done it 2 different ways before, assuming
> your local net is 192.168.0.0/24:
>
> # Permit traffic from local net 192.168.0.0/24 to broadcast addr.
> ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32
> # Deny log traffic from outside local net to local broadcast
> ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0
Doesn't that just stop you from being used as a smurf amplifier? I think
the original poster wanted to know how to defend against being a smurf
victim, which is much more difficult. The best resources I've seen for
understanding smurf attacks are:
http://users.quadrunner.com/chuegen/smurf.cgi
http://www.netscan.org/
http://www.powertech.no/smurf/
Defending against smurf attacks is hard because by the time you receive
the smurf traffic on your network, much of the damage has already been
done. And believe me, you WILL notice that something is happening when
you're feeling the brunt of a 60 Mb/s sustained smurf attack. :-)
Paul Hart
--
Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc.
hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990812092521.62924A-100000>