Solution: Re: Huge smurf attack

I should have been more careful when stating 'filtering icmp' in my
previous messages. I use something similar to this:

access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
access-list 101 permit icmp any any

Only I'm allowing the echo-reply so I can ping/traceroute out for my
troubleshooting needs. However, I don't buy the 'it breaks testing methods'
because there are other ways to test that using icmp for incoming stuff.
Plus, if you use named access lists (in new code releases), you can throw
in a permit statement then delete it without taking out the whole list.
(That is done with the 'ip access-list extended <name>' subset- very nice,
check it out) Of course this doesn't do anything for your upstream links,
but what can you do about that anyway? Get on your tier 1 provider for
that!

Plus, you STILL have directed broadcasts turned off in my scenario so the
access list is almost futile.

And if you are worried about excess CPU utilization, so what? Look into
stuff like the netflow switching commands rather than the optimal setting.
That can make a tremendous difference. Or you can always buy better gear!
How important is your service??

later-

devin

"Craig A. Huegen" <chuegen@quadrunner.com> on 01/12/99 02:01:04 PM

Only I'm allowing the echo-reply so I can ping/traceroute out for my
troubleshooting needs. However, I don't buy the 'it breaks testing methods'
because there are other ways to test that using icmp for incoming stuff.

Yes, but, do you have any idea how many tech support calls would be
generated by our customers complaining that they can't ping or be pinged?
Our service is advertised as unrestricted Internet access. Our customers
rightfully expect to be able to ping out as well as be pinged. If we
blocked all echo throughout our network, we would be completed flooded
with technical support calls. Doing something like this, similar to the
serveral suggestions to filter all .0 and .255 addresses, is an attempt to
fix the symptom instead of the real problem.

Plus, you STILL have directed broadcasts turned off in my scenario so the
access list is almost futile.

Of course.

Brandon Ross Network Engineering 404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com
                                                            ICQ: 2269442

Stop Smurf attacks! Configure your router interfaces to block directed
broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.