Re: serious flaw exposed via filters

Charles Scott (cscott@freeway.net)
Mon, 16 Sep 1996 14:36:07 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Cassandra Perkins: "Max Number of Portmasters per LAN segment"
Previous message: Robert Hanson: "Re: Phoneline Surge protectors"
In reply to: Kai: "serious flaw exposed via filters"
Next in thread: Jon Lewis: "Re: serious flaw exposed via filters"

Kai:
OK, I know I'm going to get in trouble for this with Brian, but here
goes. Yes, the PortMaster's (in my opinion) should never send packets
destined for an assignable (but currently unused) address back toward the
default route. This situation is just another manifestation of that
problem, as is unnecessary loading of the WAN circuit in PM2ER's when
this problem results in routing loops. What I've done on our units is to
designate the Ethernet port address as the gateway for the subnet which
includes the assignable addresses (I use 30 address subnets). This causes
packets for unused addresses to die right there. I don't know if in the
case you describe it will be enough to prevent those deny complaints,
but it should be easy to test. Brian has said several times that we are
NOT to designate the ethernet port as a gateway, but until there is a
change in the code, I don't see an alternative.

Chuck

On Mon, 16 Sep 1996, Kai wrote:

> I sent the following off to support@livingston.com, but feel like sharing
> this is a good idea:
> -----------------------
>
> Hi there,
>
> given the recent widespread attacks on the infrastructure of the Internet via
> the SYN Flood tool published in 2600 and Phrack magazine, I decided to
> install outgoing filters on the ethernet ports of our portmasters.
> I opted for the 'log' option in the final 'deny' line.
>
> To my big surprise, the log started reporting denied packets that should
> NEVER have traversed the interface in outbound direction.
>
> After some detailed analysis, it looks like IP traffic that is directed
> by far away hosts at a local PPP dialup user who has JUST DISCONNECTED
> makes the PM (ComOS 3.3.2 release) feel like putting those packets BACK
> on the ethernet. And it's doing this for quite some time: an extreme
> case in the logs after a user disconnected shows about 200 logged deny's
> over a period of 3 minutes and 40 seconds !
>
> Obviously, this is a bad situation: it makes use of the log statement for
> the purpose of detecting spoofed IP packets useless, just at a time when
> we need it most: early detection of SYN flood attempts by 15-year-old-
> hormon-laden-king-of-the-hill-linux-weilding-IRC-warrrior-warez-trading
> "users" , causing thousands of dollars of damages by executing a small
> C program....
>
> bye,Kai
>
>

Next message: Cassandra Perkins: "Max Number of Portmasters per LAN segment"
Previous message: Robert Hanson: "Re: Phoneline Surge protectors"
In reply to: Kai: "serious flaw exposed via filters"
Next in thread: Jon Lewis: "Re: serious flaw exposed via filters"