[4487] in North American Network Operators' Group
Re: New Denial of Service Attack on Panix
daemon@ATHENA.MIT.EDU (Dick St.Peters)
Tue Sep 17 14:55:28 1996
Date: Tue, 17 Sep 1996 14:51:05 -0400
From: "Dick St.Peters" <stpeters@NetHeaven.com>
To: George Herbert <gherbert@crl.com>
Cc: Michael Dillon <michael@memra.com>, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <199609170407.AA29031@mail.crl.com>
George Herbert writes:
> Simple for Livingstons...
>
> create a filter "internet.out"
> Contents:
> three lines for each net block you have:
>
> permit 1.2.3.4/20 tcp
> permit 1.2.3.4/20 udp
> permit 1.2.3.4/20 icmp
Actually, a single "permit 1.2.3.4/20" line will do. In Livingston
command line syntax:
set filter internet.out 1 permit 1.2.3.4/20
> final line to log (optional) MUST COME AFTER permit list for netblocks:
> deny log
>
> The final line will have the router syslog a message any time someone
> tries to send from an address outside your blocks, as defined in the
> rest of the filter. This is optional. Keep in mind that the panix
> attack would probably have flooded your syslog machine's disk space
> with syslog info in this case. Hardening that is an issue for another day,
> however.
Logging denies will fill up your log anyway. Packets arriving for a
dialup user after he/she hangs up fall through to the default route
back out of the box. They are then _outbound_ packets with source
address off the network and destination address on the network.
Dialup providers who want to log denies based on a source address
being on their network should have a preceding unlogged deny based on
the destination address being on their network:
set filter internet.out 1 permit 1.2.3.4/20
set filter internet.out 2 deny 0.0.0.0/0 1.2.3.4/20
set filter internet.out 3 deny log
--
Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY
stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671
Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake
First Internet service based in the 518 area code
