RLBM (un"protection" meathod)

Fri Jan 23 04:14:57 UTC 1998

-----Original Message-----
From: Paul Ferguson <ferguson at cisco.com>
To: Eric Osborne <osborne at notcom.com>
Cc: Dave Van Allen <dave at fast.net>; eric at ccti.net <eric at ccti.net>;
nanog at merit.edu <nanog at merit.edu>
Date: Thursday, January 22, 1998 11:00 AM
Subject: Re: Reporting Little Blue Men

>At 10:55 PM 1/21/98 -0500, Eric Osborne wrote:
>
>>How do you prevent packets from your network with a broadcast address,
since
>>what defines a "broadcast" address really depends on the subnet mask?
>>
>
>"no ip directed-broadcast"
>
>- paul
>

That directive on the router will only protect the network of the router
interface it is put on.  For example, if I have:
!
hostname Router1
!
interface Ethernet0
ip address X.Y.Z.1 255.255.255.0
no ip directed-broadcast
!

"ONLY" X.Y.Z.0 will be protected from someone trying to use "ping X.Y.Z.255"
as a bounce site.  No other networks beyond the one I have defined with my
subnet mask will be protected.  The reason I know this is because I was
hoping this directive would be an easy fix...but when I checked it out, the
hole in my logic became apparent.  If anyone has experienced different, I
would be interested in hearing the IOS used and the setup of the router.

The "no ip directed-broadcast" directive, if applied to all router
interfaces, will prevent your site from being a bounce site in the smurf
attack.  Unfortunately, it will not prevent you from being the end victim.
The only way I can think of to stop your site from being a victim is to do
one of two things: 1) block all ICMP (type 8, in particular) or 2) Have some
type of firewall device that keeps track of all ICMP requests coming from
your site with the intent to block any ICMP responses that do not match a
request.  Option 1 is not possible for most, and I currently don't know of a
proxy/firewall/etc... that will track ICMP in this way.  If anyone does,
please let me know!

Sam Birch