Using A Lucent PortMaster To Protect Against IP Spoofs

Subject: CERT 1/23 Advisory

Summary: What To Do On Lucent IRX (TM) Or PortMaster (TM)

The Lucent IRX (TM) and PortMaster (TM) discard source routed packets, but this recent attack does not involve source routes; it spoofs the source IP address. 

You can block this IP spoofing attack with your IRX (or PortMaster).
Rules for doing so are included in the example in the Firewall Application Note included with the IRX-211 or available from 
A short description follows. 

Assuming your network is on ether0 or ether1 or split across both.  Your S1 sync port has an input filter called "" and (optionally) an output filter called "internet.out ":

The first rule for "" must be: 

Command> deny log 

You can omit " log"  from the end of the deny message if you do not  want to know when your network is  being attacked.  If you set a loghost, packets that match a rule with the "log" keyword send a message to the auth.notice facility on the loghost. 

It is also useful to block packets that are trying to leave your network but have a destination address in your network. To do so, insert a first rule to" internet.out":

Command> deny log 

If you know an address could not  be coming in via some interface, it is useful to block it and log the event if it happens. This is an indication that someone is either attempting to "spoof" [an attempt to gain access to an automated information system by posing as an authorized user] your network or there is a problem with routing.  Contact Lucent Technical Support for routing issues.

Further examples of Lucent packet filtering are available in the
FireWall Application Note mentioned above and at: 

A copy of this message is available at: 

The original Complete Energy Response Team (CERT)  advisory is available at: Hijacked Connections