From owner-freebsd-security Thu Aug 12 14: 8:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay.veriguard.com (relay.securify.com [207.5.63.61]) by hub.freebsd.org (Postfix) with ESMTP id 70305158A0 for ; Thu, 12 Aug 1999 14:08:43 -0700 (PDT) (envelope-from tomb@securify.com) Received: by relay.veriguard.com; id OAA18139; Thu, 12 Aug 1999 14:07:32 -0700 (PDT) Received: from unknown(10.5.63.6) by relay.veriguard.com via smap (4.1) id xma018132; Thu, 12 Aug 99 14:07:11 -0700 Received: from beetroot.securify.com (beetroot.securify.com [10.5.63.102]) by dude.veriguard.com (8.8.7/8.8.7) with SMTP id OAA06666; Thu, 12 Aug 1999 14:07:09 -0700 Received: by beetroot.securify.com with Microsoft Mail id <01BEE4CA.388639C0@beetroot.securify.com>; Thu, 12 Aug 1999 13:54:39 -0700 Message-ID: <01BEE4CA.388639C0@beetroot.securify.com> From: Tom Brown To: Nick Rogness , "'Paul Hart'" Cc: "freebsd-security@FreeBSD.ORG" Subject: RE: ipfw Date: Thu, 12 Aug 1999 13:54:38 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What is said about the ping's arriving at the gateway is true. There = is nothing you can do about you bandwadth being saturated but you can at = least take action to protect your hosts from the storm. ---------- From: Paul Hart Sent: Thursday, August 12, 1999 7:00 AM To: Nick Rogness Cc: freebsd-security@FreeBSD.ORG Subject: RE: ipfw On Thu, 12 Aug 1999, Nick Rogness wrote: > No this DENIES anyone from outside trying to hit the broadcast on your > local net. How are they suppose to hit your broadcast if it is = blocked > at your gateways?=20 ... and that means that you won't be used as a smurf amplifier, as I = said.=20 > That will stop Smurf & Fraggle attacks from outside to his Local LAN.=20 There are three parties involved in a smurf attack -- the attacker, one = or more amplifiers, and the vicitim. Blocking outside packets directed at the broadcast address does not prevent yourself from being a smurf vicitim! Read up on how the attack works:=20 http://users.quadrunner.com/chuegen/smurf.cgi When you play the victim in a smurf attack you get hit by packets to a specific address of yours coming from hundreds (maybe even thousands) of remote machines. How will filtering packets from the outside to the broadcast addresses deflect anything? Better yet, how will filtering *anything* at your site stop the attack? By the time the packets make = it to your firewall, your external bandwidth is already saturated and = you're toasted before you can react and there's very little you can do about = it. That's what makes the attack so insidious -- it works because thousands = of amplifier networks exist on the Internet and you (the vicitim) have no control over them to get them fixed. We've been hit here before by smurf attacks in excess of 60 Mb/s that lasted several hours, and yes, they really suck. :-)=20 Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message