Re: What am I seeing?

From: Valdis.Kletnieksat_private
Date: Tue Oct 23 2001 - 09:29:24 PDT

  • Next message: Richard.Smithat_private: "Re: What am I seeing?"

    On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:
    > problem is...looks like, to me, that it is not coming from outside...thus
    > the ingress filtering will not stop it. Or am I missing something?
    
    > 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
    > MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1
    
    The trick here is to remember that ingress filtering will *not* stop these
    packets (as you noted, they originate inside the filter).  What you need
    to do is find the packet that's being sent IN that's causing these replies,
    and ingress filter THAT.
    
    This is similar to stopping SMURF attacks (which consist of streams of
    ICMP Echo Reply packets) by configuring your routers to Do The Right
    Thing(*) with ICMP Echo *Request* packets....
    
    -- 
    				Valdis Kletnieks
    				Operating Systems Analyst
    				Virginia Tech
    
    (*) The Right Thing is documented in RFC2644 "Changing the Default for
    Directed Broadcast in Routers".  To summarize - routers should drop
    packets going to a subnet's broadcast address by default, and it should
    only be enabled if you know what you're doing....
    
    
    



    This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 10:09:51 PDT