[nsp] UDP broadcast filters. (fwd)
Craig A. Huegen
chuegen at quadrunner.com
Mon Mar 16 18:52:02 UTC 1998
Here's some more information about the release of the UDP smurf, also
called "fraggle", which was made this weekend. I understand a request was
made to nanog as well requesting information.
Almost the same rules as "smurf" applies.
"no ip directed-broadcast" is your friend.
/cah
---------- Forwarded message ----------
Date: Mon, 16 Mar 1998 09:35:36 -0800 (PST)
From: "Craig A. Huegen" <chuegen at quadrunner.com>
To: Cisco-NSP <cisco-nsp at iagnet.net>
Cc: Cisco at Colorado <cisco at spot.colorado.edu>
Subject: Re: [nsp] UDP broadcast filters.
On Mon, 16 Mar 1998 jlixfeld at idirect.ca wrote:
==>I've kept hearing about a UDP smurf floating around and I'd like to put up
==>a firewall to prevent it. Can anyone give me any insight on how this is
==>done? I don't understand enough about UDP, broadcasts or enough about
==>access-lists to create an effective one. Can anyone give me some
==>pointers?
I'm going to be updating my smurf pages at
http://www.quadrunner.com/~chuegen/smurf/ to contain the information about
the UDP smurf.
Basically, here's the key points:
* UDP smurf is just like the ICMP smurf, using directed-broadcast and UDP
port 7
* A bit more dangerous if the packet is spoofed just right, because it
can cause and endless packet loop with some stacks until the packets get
dropped.
Prevention pieces:
* "no ip directed-broadcast" still prevents your network from being an
intermediary
* Disable the internal troubleshooting services in machines, where
possible. For UNIX boxes, comment the "echo" and "chargen" services in
inetd.conf and restart inetd:
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
* It's easier to filter UDP smurfs without breaking something. For
instance, filtering ICMP smurfs required that you break ping (and block
ICMP echo-reply packets)
access-list <x> deny udp any eq echo any
access-list <x> deny udp any any eq echo
Adding these to an inbound access-list will protect the traffic from
getting past.
You should see more information on my pages in a few days.
/cah
More information about the NANOG
mailing list