Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Aug 1999 13:54:38 -0700
From:      Tom Brown <tomb@securify.com>
To:        Nick Rogness <nick@rapidnet.com>, "'Paul Hart'" <hart@iserver.com>
Cc:        "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject:   RE: ipfw
Message-ID:  <01BEE4CA.388639C0@beetroot.securify.com>

next in thread | raw e-mail | index | archive | help
What is  said about the ping's arriving at the gateway is true.  There =
is nothing you can do about you bandwadth being saturated but you can at =
least take action  to protect your hosts from the storm.

----------
From:  Paul Hart
Sent:  Thursday, August 12, 1999 7:00 AM
To:  Nick Rogness
Cc:  freebsd-security@FreeBSD.ORG
Subject:  RE: ipfw

On Thu, 12 Aug 1999, Nick Rogness wrote:

> No this DENIES anyone from outside trying to hit the broadcast on your
> local net.  How are they suppose to hit your broadcast if it is =
blocked
> at your gateways?=20

... and that means that you won't be used as a smurf amplifier, as I =
said.=20

> That will stop Smurf & Fraggle attacks from outside to his Local LAN.=20

There are three parties involved in a smurf attack -- the attacker, one =
or
more amplifiers, and the vicitim.  Blocking outside packets directed at
the broadcast address does not prevent yourself from being a smurf
vicitim!  Read up on how the attack works:=20

    http://users.quadrunner.com/chuegen/smurf.cgi

When you play the victim in a smurf attack you get hit by packets to a
specific address of yours coming from hundreds (maybe even thousands) of
remote machines.  How will filtering packets from the outside to the
broadcast addresses deflect anything?  Better yet, how will filtering
*anything* at your site stop the attack?  By the time the packets make =
it
to your firewall, your external bandwidth is already saturated and =
you're
toasted before you can react and there's very little you can do about =
it.
That's what makes the attack so insidious -- it works because thousands =
of
amplifier networks exist on the Internet and you (the vicitim) have no
control over them to get them fixed.

We've been hit here before by smurf attacks in excess of 60 Mb/s that
lasted several hours, and yes, they really suck.  :-)=20

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BEE4CA.388639C0>