Re: What am I seeing?

From: Richard.Smithat_private
Date: Tue Oct 23 2001 - 10:35:22 PDT

Next message: Ivan@work: "securitynewsportal.com hacked"

Previous message: Valdis.Kletnieksat_private: "Re: What am I seeing?"
Next in thread: 'Bill Scherr IV, GCIA': "Re: What am I seeing?"
Next in thread: Valdis.Kletnieksat_private: "Re: What am I seeing?"
Reply: 'Bill Scherr IV, GCIA': "Re: What am I seeing?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A fraggle attack is not an ICMP based attack. It is UDP based. 
Nevertheless, you should be filtering all reserved and RFC 1918 networks 
at your borders. This would prevent UDP ECHO's from ever reaching your 
internal hosts. The intent of the attacker seems to be to bring down your 
/24 not any other external site. So they might redirect their attack at 
your router if you filter their spoofed network. Then their attack might 
not be as effective since it won't be amplified by your internal hosts, 
but it might be annoying. If you have filtered their bogus source 
(0.0.0.0) and they continue to barrage your router you have no choice but 
to work  with your upstream provider and track the source via ASN as 
Valdis mentioned below. 

If you need info on filtering the reserved and/or RFC 1918 networks or 
hardening Cisco routers in general a good white paper is Bastion Routers 
and you can find it on Phrack.

http://www.phrack.org/show.php?p=55&a=10

Richard S Smith
Sr Information Security Analyst
Global Integrity a Division of Predictive Systems






Valdis.Kletnieksat_private
10/23/2001 12:29 PM

 
        To:     jkruser <jkruserat_private>
        cc:     incidentsat_private, focus-idsat_private
        Subject:        Re: What am I seeing?


On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:
> problem is...looks like, to me, that it is not coming from 
outside...thus
> the ingress filtering will not stop it. Or am I missing something?

> 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
> MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1

The trick here is to remember that ingress filtering will *not* stop these
packets (as you noted, they originate inside the filter).  What you need
to do is find the packet that's being sent IN that's causing these 
replies,
and ingress filter THAT.

This is similar to stopping SMURF attacks (which consist of streams of
ICMP Echo Reply packets) by configuring your routers to Do The Right
Thing(*) with ICMP Echo *Request* packets....

-- 
                                                                 Valdis 
Kletnieks
                                                                 Operating 
Systems Analyst
                                                                 Virginia 
Tech

(*) The Right Thing is documented in RFC2644 "Changing the Default for
Directed Broadcast in Routers".  To summarize - routers should drop
packets going to a subnet's broadcast address by default, and it should
only be enabled if you know what you're doing....





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ivan@work: "securitynewsportal.com hacked"
Previous message: Valdis.Kletnieksat_private: "Re: What am I seeing?"
Next in thread: 'Bill Scherr IV, GCIA': "Re: What am I seeing?"
Next in thread: Valdis.Kletnieksat_private: "Re: What am I seeing?"
Reply: 'Bill Scherr IV, GCIA': "Re: What am I seeing?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 12:33:06 PDT