From owner-freebsd-security  Thu Aug 12 13: 2:31 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 48FD014E8E
	for <freebsd-security@freebsd.org>; Thu, 12 Aug 1999 13:02:28 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Thu, 12 Aug 1999 14:02:07 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma009768; Thu, 12 Aug 99 14:01:47 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id OAA63479; Thu, 12 Aug 1999 14:00:10 -0600 (MDT)
Date: Thu, 12 Aug 1999 14:00:10 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
Reply-To: Paul Hart <hart@iserver.com>
To: Nick Rogness <nick@rapidnet.com>
Cc: freebsd-security@freebsd.org
Subject: RE: ipfw
In-Reply-To: <Pine.BSF.4.05.9908121309450.51354-100000@rapidnet.com>
Message-ID: <Pine.BSF.3.96.990812133555.62924E-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 12 Aug 1999, Nick Rogness wrote:

> No this DENIES anyone from outside trying to hit the broadcast on your
> local net.  How are they suppose to hit your broadcast if it is blocked
> at your gateways? 

... and that means that you won't be used as a smurf amplifier, as I said. 

> That will stop Smurf & Fraggle attacks from outside to his Local LAN. 

There are three parties involved in a smurf attack -- the attacker, one or
more amplifiers, and the vicitim.  Blocking outside packets directed at
the broadcast address does not prevent yourself from being a smurf
vicitim!  Read up on how the attack works: 

    http://users.quadrunner.com/chuegen/smurf.cgi

When you play the victim in a smurf attack you get hit by packets to a
specific address of yours coming from hundreds (maybe even thousands) of
remote machines.  How will filtering packets from the outside to the
broadcast addresses deflect anything?  Better yet, how will filtering
*anything* at your site stop the attack?  By the time the packets make it
to your firewall, your external bandwidth is already saturated and you're
toasted before you can react and there's very little you can do about it.
That's what makes the attack so insidious -- it works because thousands of
amplifier networks exist on the Internet and you (the vicitim) have no
control over them to get them fixed.

We've been hit here before by smurf attacks in excess of 60 Mb/s that
lasted several hours, and yes, they really suck.  :-) 

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message