Re: (PM) DoS attack

Doug Ingraham (dpi@rapidnet.com)
Tue, 24 Feb 1998 10:23:04 -0700 (MST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Phil Taylor: "RE: (PM) win95 PPP via RS232 cable into PM2 ?"
Previous message: John Storms: "RE: (PM) win95 PPP via RS232 cable into PM2 ?"

On Mon, 23 Feb 1998, David Denney wrote:

> I'v been expecting Livingston fix their problem with announcing routes
> (via OSPF) that a portmaster cannot reach for some time. It seems to be
> violation of standards to announce a route you cannot reach, and then
> bounce it to your default gateway when not present. The obvious acceptable
> behavior it to return an ICMP unreachable message and toss the packet. I'm
> running ComOS 3.7.2c3 on 18 portmasters, all of which seem to have this
> problem.
>
> On Saturday night my company fell victim to a DoS attack that completely
> sacked all three of our pipes (a T3 and two T1s). The resultant ethernet
> traffic made even our 100bTx local network unusable because of the
> attacker was flooding multiple portmasters on unreachable IP addresses.
> Every packet they sent bounced around our network until its TTL was
> reached. When is this disastrous behavior going to be fixed??

I too would like this fixed but there is a simple filter you can put on
the ethernet interface that fixes it perfectly.

add filter e.out
set filter e.out 1 permit Assigned_Address/27
set filter e.out 2 permit Ether0_Address/32
set filter e.out 3 deny
set ether0 ofilter e.out
save all

Where the Assigned_Address is that portmasters Assigned Address pool and
Ether0_Address is the host address of that portmaster. I will usually
test the filter by replacing line 3 with permit log instead of deny. If
you want to see what you are denying you can use deny log for line 3. You
need two permit lines on a PM-3 for the Assigned pool and if you are using
Radius to allocate static's or routing networks you need to permit those
as well.

It is notable that you don't even need a DOS attack to notice bouncing
packets. They can come from web servers that like to push things at your
customers after they have disconnected for many minutes. I have seen this
go on for 11 minutes when I was investigating it.

In any case, this is a perfectly acceptable workaround and does the job
almost as well as having it built in would.

Doug Ingraham From the Ferengi Rules of Acquisition.
Rapid City, SD #34 "Peace is good for business."
USA #35 "War is good for business."

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Phil Taylor: "RE: (PM) win95 PPP via RS232 cable into PM2 ?"
Previous message: John Storms: "RE: (PM) win95 PPP via RS232 cable into PM2 ?"