From gherbert@crl.com Thu Sep 19 21:35:34 1996 From: George Herbert <gherbert@crl.com> To: nanog@merit.edu, iepg@iepg.org Subject: Re: New Denial of Service Attack on Panix >So far I've only seen Cisco filters posted. We still need to see >instructions for Livingston IRX, Bay, and Linux/FreeBSD ipfwadm Simple for Livingstons... create a filter "internet.out" Contents: three lines for each net block you have: permit 1.2.3.4/20 tcp permit 1.2.3.4/20 udp permit 1.2.3.4/20 icmp final line to log (optional) MUST COME AFTER permit list for netblocks: deny log The final line will have the router syslog a message any time someone tries to send from an address outside your blocks, as defined in the rest of the filter. This is optional. Keep in mind that the panix attack would probably have flooded your syslog machine's disk space with syslog info in this case. Hardening that is an issue for another day, however. Apply this to all outbound ports on your gateway IRX routers. You can do similar things with inbound ports on customer connections or other internal routers if you desire to start filtering earlier than your border gateway machines. For example, if 1.2.3.0/21 is your block for your St Louis hub and 2.3.11.0/24 and 2.3.22.0/26 are customer nets there, then the outbound interface for your St Louis IRX could have the following filter on its outbound interface(s): permit 1.2.3.0/21 tcp permit 1.2.3.0/21 udp permit 1.2.3.0/21 icmp permit 2.3.11.0/24 tcp permit 2.3.11.0/24 udp permit 2.3.11.0/24 icmp permit 2.3.22.0/26 tcp permit 2.3.22.0/26 udp permit 2.3.22.0/26 icmp deny log Alternatively you can filter on incoming ports with the same syntax. -george william herbert gherbert@crl.com Random Disclaimer time, since InterNIC asked me recently: I have not been a CRL employee for nearly 2 years. My opinions are of course my own.
From stpeters@NetHeaven.com Fri Sep 20 07:00:55 1996 From: "Dick St.Peters" <stpeters@NetHeaven.com> To: nanog@merit.edu, iepg@iepg.org Subject: Re: New Denial of Service Attack on Panix George Herbert writes: > Simple for Livingstons... > > create a filter "internet.out" > Contents: > three lines for each net block you have: > > permit 1.2.3.4/20 tcp > permit 1.2.3.4/20 udp > permit 1.2.3.4/20 icmp Actually, a single "permit 1.2.3.4/20" line will do. In Livingston command line syntax: set filter internet.out 1 permit 1.2.3.4/20 > final line to log (optional) MUST COME AFTER permit list for netblocks: > deny log > > The final line will have the router syslog a message any time someone > tries to send from an address outside your blocks, as defined in the > rest of the filter. This is optional. Keep in mind that the panix > attack would probably have flooded your syslog machine's disk space > with syslog info in this case. Hardening that is an issue for another day, > however. Logging denies will fill up your log anyway. Packets arriving for a dialup user after he/she hangs up fall through to the default route back out of the box. They are then _outbound_ packets with source address off the network and destination address on the network. Dialup providers who want to log denies based on a source address being on their network should have a preceding unlogged deny based on the destination address being on their network: set filter internet.out 1 permit 1.2.3.4/20 set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20 set filter internet.out 3 deny log -- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code
From gherbert@crl.com Thu Sep 19 21:38:59 1996 From: George Herbert <gherbert@crl.com> To: nanog@merit.edu, iepg@iepg.org Subject: Re: New Denial of Service Attack on Panix I have to stand somewhat corrected. >create a filter "internet.out" >Contents: >three lines for each net block you have: > > permit 1.2.3.4/20 tcp > permit 1.2.3.4/20 udp > permit 1.2.3.4/20 icmp The more appropriate format would be: permit 1.2.3.4/20 0.0.0.0/0 tcp permit 1.2.3.4/20 0.0.0.0/0 udp permit 1.2.3.4/20 0.0.0.0/0 icmp You are *supposed* to use a src/dest netblock pair, though I have set up and used w/o a dest address and it worked. >final line to log (optional) MUST COME AFTER permit list for netblocks: > deny log If you choose not to log, then you need a line: deny Otherwise that which falls through isn't denied, obviously. Doing router filters while fatigued is often a problematic process. Try and work on them when you aren't so tired, unlike me when I sent my first mail 8-) -george william herbert gherbert@crl.com
<webmaster@mtiweb.com>