From owner-freebsd-security  Thu Aug 12  8:44:29 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 89E43157CE
	for <freebsd-security@FreeBSD.ORG>; Thu, 12 Aug 1999 08:44:22 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Thu, 12 Aug 1999 09:41:35 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma020736; Thu, 12 Aug 99 09:41:32 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA62962; Thu, 12 Aug 1999 09:39:56 -0600 (MDT)
Date: Thu, 12 Aug 1999 09:39:56 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Nick Rogness <nick@rapidnet.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw
In-Reply-To: <Pine.BSF.4.05.9908112204040.48871-100000@rapidnet.com>
Message-ID: <Pine.BSF.3.96.990812092521.62924A-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 12 Aug 1999, Nick Rogness wrote:

> > what rules should I add to my ipfw ruleset to block out icmp 
> > floods and smurf attacts, etc thanks.
> 
> For smurf attacks, I've done it 2 different ways before, assuming
> your local net is 192.168.0.0/24:
> 
>    # Permit traffic from local net 192.168.0.0/24 to broadcast addr.
>    ipfw add 1000 permit ip from 192.168.0.0/24 to 192.168.0.255/32
>    # Deny log traffic from outside local net to local broadcast
>    ipfw add 2000 deny log ip from any to 192.168.0.255/32 in via de0

Doesn't that just stop you from being used as a smurf amplifier?  I think
the original poster wanted to know how to defend against being a smurf
victim, which is much more difficult.  The best resources I've seen for
understanding smurf attacks are:

    http://users.quadrunner.com/chuegen/smurf.cgi
    http://www.netscan.org/
    http://www.powertech.no/smurf/

Defending against smurf attacks is hard because by the time you receive
the smurf traffic on your network, much of the damage has already been
done.  And believe me, you WILL notice that something is happening when
you're feeling the brunt of a 60 Mb/s sustained smurf attack.  :-) 

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message