Using A Lucent PortMaster To Protect Against IP SpoofsSubject: CERT 1/23 AdvisorySummary: What To Do On Lucent IRX (TM) Or PortMaster (TM)The Lucent IRX (TM) and PortMaster (TM) discard source routed packets, but this recent attack does not involve source routes; it spoofs the source IP address. You can block this IP spoofing attack with your IRX (or PortMaster). Assuming your network is 199.9.200.0 on ether0 or ether1 or split across both. Your S1 sync port has an input filter called "internet.in" and (optionally) an output filter called "internet.out ": The first rule for " internet.in" must be: Command> deny 199.9.200.0/24 0.0.0.0/0 log You can omit " log" from the end of the deny message if you do not want to know when your network is being attacked. If you set a loghost, packets that match a rule with the "log" keyword send a message to the auth.notice facility on the loghost. It is also useful to block packets that are trying to leave your network but have a destination address in your network. To do so, insert a first rule to" internet.out": Command> deny 0.0.0.0/0 199.9.200.0/24 log If you know an address could not be coming in via some interface, it is useful to block it and log the event if it happens. This is an indication that someone is either attempting to "spoof" [an attempt to gain access to an automated information system by posing as an authorized user] your network or there is a problem with routing. Contact Lucent Technical Support for routing issues. Further examples of Lucent packet filtering are available in the A copy of this message is available at: The original Complete Energy Response Team (CERT) advisory is available at:
ftp://cert.org/pub/cert_advisories/CA-95:01.IP.Spoofing.Attacks.and Hijacked
Connections |