| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Fwd: Re: Smurf attack
I think the better way is to block Smurf attack at router side, supposed
the attack is coming from outside network.
Stop your routers from mapping traffic destined for the network broadcast
address to the LAN broadcast address.
By preventing this mapping, your systems will no longer receive these echo
requests.
Enter the command in router LAN interface:
no ip directed-broadcast
This must be performed on every LAN interface on every router. This command
will not be effective if it is performed
only on your perimeter router.
Hope it helpful,
Jin
P L <[email protected]>
Sent by: To: [email protected]
[email protected] cc:
kpoint.com Subject: [FW1] Fwd: Re: Smurf attack
08/17/2001 11:11 PM
> To: Paul Cunningham <[email protected]>
>
> To the best of my knowledge, I would think you would
> want to call your ISP and have them change their
> routers to stop the attack, assuming the attack is
> coming from a leased line to the internet. You can
> change the rules on your firewall to stop the attack
> there, but if your ISP's routers are still
> vulnerable,
> that won't fix your problem. You'd probably want to
> get your ISP's help to try to figure out where the
> attack is coming from, as maybe law enforcement
> might
> be interested.
>
> If the attack is coming from inside your network, a
> firewall probably won't help, though if you have
> internal routers those might be able to help.
>
> As far as blocking ICMP on your firewall, I don't
> know
> if I can help you from here, but on my Firewall-1 v4
> GUI, first I have to go into the Security Policy
> program and go into Policy, Properties, Access
> Lists,
> and remove the checkbox for Allow ICMP. Then, you
> have to read the rules in your rulebase one by one
> to
> make sure there isn't a rule that allows ICMP or all
> traffic out from your network to the untrusted
> network. Be sure to select View, Implied
> Pseudo-Rules
> to see the hidden rules in yellow which are put
> there
> by the options under Policy, Properties.
>
> You could add a rule that blocks ICMP traffic, but
> where you add the rule makes a big difference as the
> rules are processed top to bottom. You probably
> want
> to add the rule near the top of the rulebase, or at
> least before you start seeing rules that allow
> traffic. The rule might look like this:
>
> Source = source of the attacks
> Destination = All or = Attacked Network
> Service = ICMP
> Action = Drop
> Track = Short or Long [again look at the other
> rules]
> Install On = Your firewall [look at how the other
> rules are set up here]
> Time = Any
>
> Note that a rule allowing traffic out also allows
> the
> responses to that traffic back in, so you don't have
> to set up a second rule to allow the traffic back
> in.
>
> When you're happy with the rule, click on Save, then
> click on Policy, Install, and then test the network
> after the rulebase is installed to make sure
> everything is working as expected. Also, initiate
> some test ICMP traffic from the untrusted network
> and
> check the log viewer to make sure the traffic you
> want
> to drop is being dropped. You can filter on
> Service/Protocol = ICMP, or Action = Drop, or both.
>
> Why do you suspect a Smurf attack? If you're not
> sure
> whether or not you are really having a Smurf attack,
> the FW-1 Log Viewer is your friend. Right-click on
> the headers to select the type of traffic you're
> trying to see [e.g. choose to look just at the ICMP
> protocol and maybe filter out entries by
> destination].
>
> http://www.grc.com/ has an interesting story on how
> they handled a similar attack.
>
> I hope this helps. It's hard to help with a problem
> like this from here without knowing more details
> about
> your software and hardware and network. Let me know
> if anything interesting happens.
>
>
> --- Paul Cunningham <[email protected]> wrote:
> >
> > Hello all,
> >
> > I am a newbie with this software and have been
> > thrust into a situation that
> > requires me to write a rule for my firewall
> denying
> > all ICMP traffic. Our
> > regular administrator is unreachable and we have
> no
> > tech support. I need to
> > lock this down to stop a "Smurf" attack on my
> > network. If anyone might be
> > kind enough to lend me a hand I would appreciate
> it.
> > I'm sure it's easy for
> > people who are well versed in the software, but I
> am
> > looking at it for the
> > first time today! I'm sure that rule may already
> be
> > in place, but need to
> > verify that. I figured out the basics on how to
> > create the rule, but I'm not
> > sure where the objects should be placed and what,
> if
> > any, advanced features
> > I need to invoke.
> >
> > Thanks,
> >
> > Paul
> >
> >
>
_________________________________________________________________
> > Get your FREE download of MSN Explorer at
> > http://explorer.msn.com/intl.asp
> >
> >
> >
> >
>
================================================================================
> > To unsubscribe from this mailing list, please
> > see the instructions at
> >
> > http://www.checkpoint.com/services/mailing.html
> >
>
================================================================================
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute
> with Yahoo! Messenger
> http://phonecard.yahoo.com/
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
