Smurfing

One of my customers is being smurfed right now. Filling a 10 Meg to UU
Net.

It is wonderful to know that everyone has 'no ip directed-broadcast'.

It's *SO* easy to do!

Hmmm, let's see...

Bay Networks, Inc. and its Licensors.
Copyright 1992, 1993, 1994, 1995, 1996, 1997. All rights reserved.

Login: Manager

Password: Mounting new volume...
Device label:
Directory: 1:
New Present Working Directory: 1:

      Welcome to the Backbone Technician Interface

[1:TN]$ conf t
conf t: unknown command

[1:TN]$ no ip directed-broadcast
no ip directed-broadcast: unknown command

It's all well and good that everyone knows backwards and forwards how to
configure this sort of thing on a Cisco, but there are other vendors out
there making routers too. What is trivial in IOS may turn out to be a
real bitch on other equipment. From what I understand, Bay is working on
getting a similar feature in 12.something, but what of Ascend, OpenRoute,
and others making equipment that can handle big connections?

Perhaps some of the folks on NANOG that use equipment other than Cisco
would like to share how they "configure their router for that"? It would
be a nice service to everyone...

Charles

==>It's all well and good that everyone knows backwards and forwards how to
==>configure this sort of thing on a Cisco, but there are other vendors out
==>there making routers too. What is trivial in IOS may turn out to be a
==>real bitch on other equipment. From what I understand, Bay is working on
==>getting a similar feature in 12.something, but what of Ascend, OpenRoute,
==>and others making equipment that can handle big connections?
==>
==>Perhaps some of the folks on NANOG that use equipment other than Cisco
==>would like to share how they "configure their router for that"? It would
==>be a nice service to everyone...

http://www.quadrunner.com/~chuegen/smurf.txt

It has Bay Networks and Proteon information, and I'm adding Ascend
information as well within the next week.

With Bay Networks, you must set a false static ARP for the broadcast
address and then it will not send directed broadcasts. A Bay SE tells me
that an option to disable directed broadcasts is being implemented and
will be in a major release expected around April.

With Ascend, you must filter traffic to the broadcast address.

This page has been up since October and was mentioned in the CERT,
bugtraq, etc., advisories as well as a lot of media articles on smurfing.
Where've you been? =)

/cah

Charles Sprickman wrote:

It's all well and good that everyone knows backwards and forwards how to
configure this sort of thing on a Cisco, but there are other vendors out
there making routers too. What is trivial in IOS may turn out to be a
real bitch on other equipment.

From http://www.quadrunner.com/~c-huegen/smurf.txt :

* Bay Networks:
  <snip>
A workaround is to set a false static ARP
  address in the router for the broadcast address of the LAN you wish to
  protect, or set a false static host route for the broadcast address.

Haven't played with any Bay routers since before this paper was
released, so I haven't tried it. Sounds like a reasonable solution,
though. Just a quick FYI.

Brian

[1:TN]$ no ip directed-broadcast
no ip directed-broadcast: unknown command

If it won't smurf block, whatever the syntax, try

    [1:TN]$ rma

randy

The take the false static ARP concept a little further, I've
been advised to use a fake adjacent host entry to accomplish
this. A Bay SE sent this to me today :

"In order to protect a directly connected network from being a
smurf launch point, you can configure an Adjacent Host for the
broadcast address (if the network is a /24 than the broadcast
addresses would be x.x.x.0 and x.x.x.255) with a bogus MAC address.
This will cause the smurf traffic to be sent to that bogus MAC
address which result in NO ONE replying to the smurf."

We originally were advised to use a blackhole static route,
but that does not take precedence over a directly connected
route in the route table.

Kevin

Dear Randy,

you must use this command on configuration mode.
though I have not done yet, it is very likely to
use under interface mode?!

regards,

tatsuya