New Denial of Service Attack on Panix

Mailman List Mirror (Read Only)
1

Has someone come up with instructions on how to do source address
filtering/verification for different brands of routers? It would be
good if someone could put up a web page with complete instructions on
how to do this. If this could be done quick enough we could possibly
get the URL some publicity due to the current Panix attack.

I would certainly publicize such a website. Although I think it would be
best if it was placed at some other site with info that ISP's should see
like perhaps www.ra.net.

So far I've only seen Cisco filters posted. We still need to see
instructions for Livingston IRX, Bay, and Linux/FreeBSD ipfwadm

Simple for Livingstons...

create a filter "internet.out"
Contents:
three lines for each net block you have:

  permit 1.2.3.4/20 tcp
  permit 1.2.3.4/20 udp
  permit 1.2.3.4/20 icmp

final line to log (optional) MUST COME AFTER permit list for netblocks:
  deny log

The final line will have the router syslog a message any time someone
tries to send from an address outside your blocks, as defined in the
rest of the filter. This is optional. Keep in mind that the panix
attack would probably have flooded your syslog machine's disk space
with syslog info in this case. Hardening that is an issue for another day,
however.

Apply this to all outbound ports on your gateway IRX routers.
You can do similar things with inbound ports on customer connections
or other internal routers if you desire to start filtering earlier
than your border gateway machines.

For example, if 1.2.3.0/21 is your block for your St Louis hub and
2.3.11.0/24 and 2.3.22.0/26 are customer nets there, then
the outbound interface for your St Louis IRX could have the
following filter on its outbound interface(s):
  permit 1.2.3.0/21 tcp
  permit 1.2.3.0/21 udp
  permit 1.2.3.0/21 icmp
  permit 2.3.11.0/24 tcp
  permit 2.3.11.0/24 udp
  permit 2.3.11.0/24 icmp
  permit 2.3.22.0/26 tcp
  permit 2.3.22.0/26 udp
  permit 2.3.22.0/26 icmp
  deny log

Alternatively you can filter on incoming ports with the same syntax.

-george william herbert
gherbert@crl.com

Random Disclaimer time, since InterNIC asked me recently:
I have not been a CRL employee for nearly 2 years.
My opinions are of course my own.

2

George Herbert writes:

Simple for Livingstons...

create a filter "internet.out"
Contents:
three lines for each net block you have:

  permit 1.2.3.4/20 tcp
  permit 1.2.3.4/20 udp
  permit 1.2.3.4/20 icmp

Actually, a single "permit 1.2.3.4/20" line will do. In Livingston
command line syntax:

  set filter internet.out 1 permit 1.2.3.4/20

final line to log (optional) MUST COME AFTER permit list for netblocks:
  deny log

The final line will have the router syslog a message any time someone
tries to send from an address outside your blocks, as defined in the
rest of the filter. This is optional. Keep in mind that the panix
attack would probably have flooded your syslog machine's disk space
with syslog info in this case. Hardening that is an issue for another day,
however.

Logging denies will fill up your log anyway. Packets arriving for a
dialup user after he/she hangs up fall through to the default route
back out of the box. They are then _outbound_ packets with source
address off the network and destination address on the network.

Dialup providers who want to log denies based on a source address
being on their network should have a preceding unlogged deny based on
the destination address being on their network:

  set filter internet.out 1 permit 1.2.3.4/20
  set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20
  set filter internet.out 3 deny log

3

George Herbert writes:

Simple for Livingstons...

create a filter "internet.out"
Contents:
three lines for each net block you have:

  permit 1.2.3.4/20 tcp
  permit 1.2.3.4/20 udp
  permit 1.2.3.4/20 icmp

Actually, a single "permit 1.2.3.4/20" line will do. In Livingston
command line syntax:

  set filter internet.out 1 permit 1.2.3.4/20

final line to log (optional) MUST COME AFTER permit list for netblocks:
  deny log

The final line will have the router syslog a message any time someone
tries to send from an address outside your blocks, as defined in the
rest of the filter. This is optional. Keep in mind that the panix
attack would probably have flooded your syslog machine's disk space
with syslog info in this case. Hardening that is an issue for another day,
however.

Logging denies will fill up your log anyway. Packets arriving for a
dialup user after he/she hangs up fall through to the default route
back out of the box. They are then _outbound_ packets with source
address off the network and destination address on the network.

Dialup providers who want to log denies based on a source address
being on their network should have a preceding unlogged deny based on
the destination address being on their network:

  set filter internet.out 1 permit 1.2.3.4/20
  set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20
  set filter internet.out 3 deny log