--->
Robert H. Hanson LAN/WAN Consultant - Internet Service Provider
Otis Orchards, Wa. Cutting Edge Communications www.cet.com
(509) 927-9541 finger: info@cet.com or email: roberth@cet.com
On Mon, 16 Sep 1996, Charles Scott wrote:
>
> Kai:
> OK, I know I'm going to get in trouble for this with Brian, but here
> goes. Yes, the PortMaster's (in my opinion) should never send packets
> destined for an assignable (but currently unused) address back toward the
> default route. This situation is just another manifestation of that
> problem, as is unnecessary loading of the WAN circuit in PM2ER's when
> this problem results in routing loops. What I've done on our units is to
> designate the Ethernet port address as the gateway for the subnet which
> includes the assignable addresses (I use 30 address subnets). This causes
> packets for unused addresses to die right there. I don't know if in the
> case you describe it will be enough to prevent those deny complaints,
> but it should be easy to test. Brian has said several times that we are
> NOT to designate the ethernet port as a gateway, but until there is a
> change in the code, I don't see an alternative.
>
> Chuck
>
> On Mon, 16 Sep 1996, Kai wrote:
>
> > I sent the following off to support@livingston.com, but feel like sharing
> > this is a good idea:
> > -----------------------
> >
> > Hi there,
> >
> > given the recent widespread attacks on the infrastructure of the Internet via
> > the SYN Flood tool published in 2600 and Phrack magazine, I decided to
> > install outgoing filters on the ethernet ports of our portmasters.
> > I opted for the 'log' option in the final 'deny' line.
> >
> > To my big surprise, the log started reporting denied packets that should
> > NEVER have traversed the interface in outbound direction.
> >
> > After some detailed analysis, it looks like IP traffic that is directed
> > by far away hosts at a local PPP dialup user who has JUST DISCONNECTED
> > makes the PM (ComOS 3.3.2 release) feel like putting those packets BACK
> > on the ethernet. And it's doing this for quite some time: an extreme
> > case in the logs after a user disconnected shows about 200 logged deny's
> > over a period of 3 minutes and 40 seconds !
> >
> > Obviously, this is a bad situation: it makes use of the log statement for
> > the purpose of detecting spoofed IP packets useless, just at a time when
> > we need it most: early detection of SYN flood attempts by 15-year-old-
> > hormon-laden-king-of-the-hill-linux-weilding-IRC-warrrior-warez-trading
> > "users" , causing thousands of dollars of damages by executing a small
> > C program....
> >
> > bye,Kai
> >
> >
>