Re: What am I seeing?

From: 'Bill Scherr IV, GCIA' (bschnzlat_private)
Date: Thu Oct 25 2001 - 08:24:35 PDT

  • Next message: Mike Shaw: "winad.exe and winad-update.exe"

       Fraggle or smurf or cookie monster.  Proper Ingress/Egress filtering 
    and Router configuration (Router (config-subif)# no ip directed-broadcast)
    will make this a non-issue.  obsid's script has an excellent list of IANA 
    reserved nets!  It also blocks the RFC 1918 stuff and directed/limited 
    broadcasts.  The point here is that no matter how you do it, put the proper 
    filters in place.  (ISPs too!)  DoS defense depends on ALL of us!
    On 23 Oct 2001, at 13:35, Richard.Smithat_private wrote:
    > A fraggle attack is not an ICMP based attack. It is UDP based. 
    > Nevertheless, you should be filtering all reserved and RFC 1918 networks 
    > at your borders. This would prevent UDP ECHO's from ever reaching your 
    > internal hosts. The intent of the attacker seems to be to bring down your /24
    > not any other external site. So they might redirect their attack at your router
    > if you filter their spoofed network. Then their attack might not be as
    > effective since it won't be amplified by your internal hosts, but it might be
    > annoying. If you have filtered their bogus source ( and they continue
    > to barrage your router you have no choice but to work  with your upstream
    > provider and track the source via ASN as Valdis mentioned below. 
    > If you need info on filtering the reserved and/or RFC 1918 networks or 
    > hardening Cisco routers in general a good white paper is Bastion Routers 
    > and you can find it on Phrack.
    > Richard S Smith
    > Sr Information Security Analyst
    > Global Integrity a Division of Predictive Systems
    > Valdis.Kletnieksat_private
    > 10/23/2001 12:29 PM
    >         To:     jkruser <jkruserat_private>
    >         cc:     incidentsat_private, focus-idsat_private
    >         Subject:        Re: What am I seeing?
    > On Tue, 23 Oct 2001 11:38:36 EDT, jkruser said:
    > > problem is...looks like, to me, that it is not coming from 
    > outside...thus
    > > the ingress filtering will not stop it. Or am I missing something?
    > > 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
    > > MY.C.BLOCK.177, ,, , dstport=7&srcport=21497, 1
    > The trick here is to remember that ingress filtering will *not* stop these
    > packets (as you noted, they originate inside the filter).  What you need to do
    > is find the packet that's being sent IN that's causing these replies, and
    > ingress filter THAT.
    > This is similar to stopping SMURF attacks (which consist of streams of
    > ICMP Echo Reply packets) by configuring your routers to Do The Right
    > Thing(*) with ICMP Echo *Request* packets....
    > -- 
    >                                        Valdis 
    > Kletnieks
    >                                        Operating 
    > Systems Analyst
    >                                        Virginia 
    > Tech
    > (*) The Right Thing is documented in RFC2644 "Changing the Default for
    > Directed Broadcast in Routers".  To summarize - routers should drop
    > packets going to a subnet's broadcast address by default, and it should
    > only be enabled if you know what you're doing....
    Bill Scherr IV, GCIA
    Electronic Warfare Associates / IIT
    Lafayette RTI, Camp Johnson
    Colchester, VT 05446
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 08:55:44 PDT