A fraggle attack is not an ICMP based attack. It is UDP based. Nevertheless, you should be filtering all reserved and RFC 1918 networks at your borders. This would prevent UDP ECHO's from ever reaching your internal hosts. The intent of the attacker seems to be to bring down your /24 not any other external site. So they might redirect their attack at your router if you filter their spoofed network. Then their attack might not be as effective since it won't be amplified by your internal hosts, but it might be annoying. If you have filtered their bogus source (0.0.0.0) and they continue to barrage your router you have no choice but to work with your upstream provider and track the source via ASN as Valdis mentioned below. If you need info on filtering the reserved and/or RFC 1918 networks or hardening Cisco routers in general a good white paper is Bastion Routers and you can find it on Phrack. http://www.phrack.org/show.php?p=55&a=10 Richard S Smith Sr Information Security Analyst Global Integrity a Division of Predictive Systems Valdis.Kletnieksat_private 10/23/2001 12:29 PM To: jkruser <jkruserat_private> cc: incidentsat_private, focus-idsat_private Subject: Re: What am I seeing? On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said: > problem is...looks like, to me, that it is not coming from outside...thus > the ingress filtering will not stop it. Or am I missing something? > 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated, > MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1 The trick here is to remember that ingress filtering will *not* stop these packets (as you noted, they originate inside the filter). What you need to do is find the packet that's being sent IN that's causing these replies, and ingress filter THAT. This is similar to stopping SMURF attacks (which consist of streams of ICMP Echo Reply packets) by configuring your routers to Do The Right Thing(*) with ICMP Echo *Request* packets.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech (*) The Right Thing is documented in RFC2644 "Changing the Default for Directed Broadcast in Routers". To summarize - routers should drop packets going to a subnet's broadcast address by default, and it should only be enabled if you know what you're doing.... ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 12:33:06 PDT