Re: ICMP/SYN Flood

From: Dr J (doctorj_at_bigpond.net.au)
Date: 05/23/03

  • Next message: Gary Flynn: "Re: cisco 7200 performance issue" 
    To: Muhammad Naseer Bhatti <mail-lists@digitallinx.com>
Date: 23 May 2003 10:39:57 +1000

    Add the lines (should be OK for an inbound acl - check
    with your netprogs)

    deny ip host 0.0.0.0 any
    deny ip host 255.255.255.255 any

    to destroy packets destined for broadcast addresses.

    Your router should also be configured so that it cannot forward directed
    broadcasts (unless you make use of this feature):

    rtr(enable)# configure terminal
    rtr(config)# interface ethernet 0/0 <check with netprogs>
    rtr(config-if)# no ip directed-broadcast
    rtr(config-if)# end

    Also, if you are regularly receiving attacks from the sites below
    you may need to add something similar to below to your router config.
    for each network that you mention - you also appear to reference
    16-bit ip-addr. spaces. This is huge and you may want to scale this
    down by getting correct masks (by inspecting the source ip's and
    doing a `whois`) or continually blocking each attack on an individual
    ip address basis - which would mean continuing to harass your netprogs.

    deny ip 37.72.0.0 0.0.255.255 any (watch direction - netprogs)
    deny tcp host 37.72.AAA.BBB any -single ip
    deny tcp host 37.72.AAA.BBB any eq 80 -single ip/protocol (WWW)

    Hope this is a start.
    Dr J.

    On Thu, 2003-05-22 at 12:47, Muhammad Naseer Bhatti wrote:
    > Hi list ..
    >
    > I am experiencing a bad DDoS attack toward one of my server. The attack is
    > pointed to only 1 IP on which a governmental site is hosted. Seems some
    > folks don't like the site to stay up. As far as the Server (Linux) security
    > is concerned, I am able to make that up serving all requests without any
    > hesitation. My network with which I am connected to is poorly configured and
    > allowing the DDoS attack to pass thru their routers. I am getting two kind
    > of attacks here:
    >
    > - ICMP Flood
    > Simple ICMP flood from various spoofed hosts. This I know can be
    > blocked on the router for the particular IP. Unfortunately the network guys
    > are still not able to do that.
    >
    > - SYN Flood
    > Interesting thing. Loots of SYN requests from these kind of
    > network/broadcasts towards port 80 only.
    >
    > 37.72.0.0
    > 128.89.0.0
    > 173.66.0.0
    > 37.155.0.0
    > 177.225.0.0
    > 37.94.0.0
    > 36.162.0.0
    > 117.77.0.0
    > 151.162.0.0
    > 36.216.0.0
    > 134.248.0.0
    > 175.129.0.0
    >
    > And the list goes oon .. The question I want to ask here, is the
    > network/router poorly configured at my NOC which is allowing
    > broadcasts/networks to pass through it? If so, how can I assist them to fix
    > it? I am not a Cisco guru, so might need someone to give me some hints so
    > that I can pass that to the poor NOC techs.
    >
    > Any help would be appreciated.
    >
    >
    > Thanks,
    >
    > Muhammad Naseer
    > ----
    >

    > ----------------------------------------------------------------------------
    > *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    > Just like wired networks, wireless LANs require network security policies
    > that are enforced to protect WLANs from known vulnerabilities and threats.
    > Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
    >
    > To get your FREE white paper visit us at:
    > http://www.securityfocus.com/AirDefense-incidents
    > ----------------------------------------------------------------------------
    Joe Haskian

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------

  • Next message: Gary Flynn: "Re: cisco 7200 performance issue"

    Relevant Pages

    • RE: A question for the list...
      ... >> evolution of the network ... implement and enforce WLAN security policies ... >> enterprise WLANs. ... implement and enforce WLAN security policies to ...
      (Incidents)
    • RE: A question for the list...
      ... attempts to remove the virus from the host. ... -If a command can be given in a channel to "shut down" the network of hosts, ... wireless LANs require network security policies ... that are enforced to protect WLANs from known vulnerabilities and threats. ...
      (Incidents)
    • Re: [ANNOUNCE] protocol watcher
      ... attack, which is known to be a SYN attack! ... wireless LANs require network security policies ... > that are enforced to protect WLANs from known vulnerabilities and threats. ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • Re: A question for the list...
      ... Is the attacks a virus really? ... > evolution of the network ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • Re: A question for the list...
      ... can already redirect known attacks and scans to /dev/null. ... > evolution of the network ... wireless LANs require network security policies ... > that are enforced to protect WLANs from known vulnerabilities and threats. ...
      (Incidents)
    • Quantcast