[22593] in North American Network Operators' Group
Re: source filtering
daemon@ATHENA.MIT.EDU (Daniel Senie)
Tue Jan 12 16:00:03 1999
Date: Tue, 12 Jan 1999 14:38:55 -0500
From: Daniel Senie <dts@senie.com>
To: nanog@merit.edu
"Craig A. Huegen" wrote:
>
> On Tue, Jan 12, 1999 at 06:25:47PM +0000, Alex Bligh wrote:
>
> ==>Is UDP smurf much in evidence? (send a UDP packet to the broadcast address
> ==>on the echo server port and you'll either get ICMP port unreachables
> ==>back or UDP echos). The reason I ask is that edge ICMP rate
> ==>limiting won't help UDP.
>
> People are still preferring ICMP smurfs as the reflection is usually
> greater.
>
> With that said, you can use a line like the following to filter UDP
> echo smurfs at the network border; it won't affect other UDP traffic.
>
> access-list 101 permit udp any eq 7 any
A side effect of the above filter is that it'll interfere with some web
caches. Now mind you I'm not sure that's a bad thing or a good thing,
it's just how it is. Whomever came up with using the UDP echo port as
part of a web cache's operation must have had no ops experience on the
Internet. The web cache packets are recognizable by having a source port
of 3130 and destination port of 7.
Since I care more about preventing attacks than I do about web caches, I
allow these to be blocked.
Dan
--
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.com
