Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Aug 1999 14:00:10 -0600 (MDT)
From:      Paul Hart <hart@iserver.com>
To:        Nick Rogness <nick@rapidnet.com>
Cc:        freebsd-security@freebsd.org
Subject:   RE: ipfw
Message-ID:  <Pine.BSF.3.96.990812133555.62924E-100000@anchovy.orem.iserver.com>
In-Reply-To: <Pine.BSF.4.05.9908121309450.51354-100000@rapidnet.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 12 Aug 1999, Nick Rogness wrote:

> No this DENIES anyone from outside trying to hit the broadcast on your
> local net.  How are they suppose to hit your broadcast if it is blocked
> at your gateways? 

... and that means that you won't be used as a smurf amplifier, as I said. 

> That will stop Smurf & Fraggle attacks from outside to his Local LAN. 

There are three parties involved in a smurf attack -- the attacker, one or
more amplifiers, and the vicitim.  Blocking outside packets directed at
the broadcast address does not prevent yourself from being a smurf
vicitim!  Read up on how the attack works: 

    http://users.quadrunner.com/chuegen/smurf.cgi

When you play the victim in a smurf attack you get hit by packets to a
specific address of yours coming from hundreds (maybe even thousands) of
remote machines.  How will filtering packets from the outside to the
broadcast addresses deflect anything?  Better yet, how will filtering
*anything* at your site stop the attack?  By the time the packets make it
to your firewall, your external bandwidth is already saturated and you're
toasted before you can react and there's very little you can do about it.
That's what makes the attack so insidious -- it works because thousands of
amplifier networks exist on the Internet and you (the vicitim) have no
control over them to get them fixed.

We've been hit here before by smurf attacks in excess of 60 Mb/s that
lasted several hours, and yes, they really suck.  :-) 

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990812133555.62924E-100000>