How to Prevent Broadcast Echo Requests
(Smurf Attacks)
Compatible Systems Software Version 3.x
Apply the following filter set to the wan interface of the router:
Input Filters
MicroRouter 900i A5741600# edit filter ip smurfin
Filter list 'smurfin' does not exist, create a new one? y
Editing 'smurfin'...
Empty buffer
Edit smurfin>a
Enter lines at the prompt. To terminate input, enter
a . on a line all by itself.
Append> deny 0.0.0.0/0 38.242.251.255/32 IP
Append> deny 0.0.0.0/0 38.242.251.0/32 IP
Append> permit 0.0.0.0/0 0.0.0.0/0
Append> .
Edit smurfin> exit
*MicroRouter 900i A5741600#
This will deny echo requests to either the network or
broadcast address.
Next, apply the Outbound Filter, in this case all outbound
pings are allowed:
*MicroRouter 900i A5741600# edit filter ip smurfout
Filter list 'smurfout' does not exist, create a new one? y
Editing 'smurfin'...
Empty buffer
Edit smurfin>a
Enter lines at the prompt. To terminate input, enter
a . on a line all by itself.
Append> permit 0.0.0.0/0 0.0.0.0/0
Append> .
Edit smurfin> exit
>>
*MicroRouter 900i A5741600# save
Saving filter...
Checking snytax...
Filter checked successfully.
*MicroRouter 900i A5741600# save
Save configuration to flash and restart router? y
Compatible Systems Software Version 4.x
Add the Input Filter by following these steps:
*MR1270i_A55BA200# edit filter ip smurfin
Section 'IP Filter 'smurfin' not found in the config.
Do you want to add it to the config? y
1: [ IP Filter 'smurfin' ]
End of buffer
Edit [ IP Filter 'smurfin' ]> a
Enter lines at the prompt. To terminate input, enter a . on a line all by itself.
Append> deny 0.0.0.0/0 38.242.250.0/32 IP
Append> deny 0.0.0.0/0 38.242.250.255/32 IP
Append> permit 0.0.0.0/0 0.0.0.0/0
Append> .
Edit [ IP Filter 'smurfin' ]> exit
Saving section...
Checking syntax...
Section checked successfully.
Now, add the Output Filter:
*MR1270i_A55BA200# edit filter ip smurfout
Section 'IP Filter 'smurfout' not found in the config.
Do you want to add it to the config? y
Editing '[ IP Filter 'smurfout' ]'...
1: [ IP Filter 'smurfout' ]
End of buffer
Edit [ IP Filter 'smurfout' ]> a
Enter lines at the prompt. To terminate input, enter
a . on a line all by itself.
Append> permit 0.0.0.0/0 0.0.0.0/0
Append> .
Edit [ IP Filter 'smurfout' ]> exit
Saving section...
Checking syntax...
Section checked successfully.
*MR1270i_A55BA200# save
Save configuration to flash and restart device? y
Cisco Routers
On the Cisco routers, applying filter sets are not necessary, turning off direct broadcast will prevent the broadcast address from responding to an echo request. Directed broadcast must be disabled on each active interface.
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int serial 0
Router(config-if)#no ip directed-broadcast
Router(config-if)#int eth 0
Router(config-if)#no ip directed-broadcast
Router(config-if)#^Z
Router#
%SYS-5-CONFIG_I: Configured from console by consolewr Building configuration...
[OK]
Ascend Pipeline
Filters must be applied for both the network and broadcast addresses using the following filter sets.
Filters are located under the Ethernet menu. The ascend has four to sixteen filter sets, each consisting of 12 inbound and 12 outbound.
Select a filter. 20-401 thru 20-404.
Enter a name for the filter.
Select inbound or outbound.
Select which input filter you want to edit. 01-12
To apply the filter go to the ethernet menu, go to the connections menu, go to the PSINet menu, go under session options and put the number of the filter you want to use in both the call filter and the data filter. i.e., if you want to use filter set 20-401 then put 1 in the field.
Input Filters
In filter 1
Forward=no
Src Mask=0.0.0.0
Src Adrs=0.0.0.0
Dst Mask=255.255.255.255
Dst Adrs=204.243.195.0
Protocol=0
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=None
Dst Port #=N/A
TCP Estab=N/A
In filter 2
Forward=no
Src Mask=0.0.0.0
Src Adrs=0.0.0.0
Dst Mask=255.255.255.255
Dst Adrs=204.243.195.255
Protocol=0
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=None
Dst Port #=N/A
TCP Estab=N/A
In filter 3
Forward=Yes
Src Mask=0.0.0.0
Src Adrs=0.0.0.0
Dst Mask=0.0.0.0
Dst Adrs=0.0.0.0
Protocol=0
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=None
Dst Port #=N/A
TCP Estab=N/A
Output Filter
Out filter 1
Forward=Yes
Src Mask=0.0.0.0
Src Adrs=0.0.0.0
Dst Mask=0.0.0.0
Dst Adrs=0.0.0.0
Protocol=1
Src Port Cmp=None
Src Port #=N/A
Dst Port Cmp=None
Dst Port #=N/A
TCP Estab=N/A
Proteon Globetrotter
Protection from SMURF attacks can be prevented on Proteon Routers running version 2.0 or later by disabling directed broadcasts. This feature is enabled in the default factory configuration of the unit. To verify the status of directed broadcast, follow these steps.
Config>
*TALK 6
Config>PROTOCOL IP
Internet protocol user configuration
IP config>list all
Interface addresses
IP addresses for each interface:
intf 0 38.242.250.1 255.255.255.0 Network broadcast, fill 1
intf 1 38.21.10.100 255.255.255.0 Network broadcast, fill 1
Routing
route to 0.0.0.0,0.0.0.0 via 38.21.10.1, cost 1
Protocols
BOOTP forwarding: disabled
Directed broadcasts: disabled
Source routed IP: disabled
ARP Subnet routing: disabled
RFC925 routing: disabled
OSPF: disabled
Per-packet-multipath: disabled
To disable the directed broadcasts protocol, issue the following command:
IP config>disable directed-broadcast
Issue the list all command again to verify that directed broadcast was in fact disabled.
Netopia Routers
Netopia Routers have directed broadcast disabled by default. There is no configuration parameter for directed broadcast in the router software. They simply do not respond to echo requests send to either the network or broadcast addresses.
Livingston Routers
set filter s1.in 1 deny LAN.LAN.LAN.0/24 0.0.0.0/0
set filter s1.in 2 deny 0.0.0.0/0 LAN.LAN.LAN.0/32 icmp
set filter s1.in 3 deny 0.0.0.0/0 LAN.LAN.LAN.255/32 icmp
|
