From owner-iap@VMA.CC.ND.EDU Mon Sep 16 21:17:34 1996 Received: from VMA.CC.ND.EDU (vma.cc.nd.edu [129.74.4.21]) by remarkable.amazing.com (8.6.12/8.6.12) with SMTP id VAA17270 for ; Mon, 16 Sep 1996 21:17:26 -0700 Received: from VMA.CC.ND.EDU by VMA.CC.ND.EDU (IBM VM SMTP V2R2) with BSMTP id 3078; Mon, 16 Sep 96 23:15:41 EST Received: from VMA.CC.ND.EDU (NJE origin LISTSERV@IRISHVMA) by VMA.CC.ND.EDU (LMail V1.2a/1.8a) with BSMTP id 6813; Mon, 16 Sep 1996 23:15:40 -0500 Received: from VMA.CC.ND.EDU by VMA.CC.ND.EDU (LISTSERV release 1.8b) with NJE id 6684 for IAP@VMA.CC.ND.EDU; Mon, 16 Sep 1996 23:15:37 -0500 Received: from IRISHVMA (NJE origin SMTP@IRISHVMA) by VMA.CC.ND.EDU (LMail V1.2a/1.8a) with BSMTP id 6811; Mon, 16 Sep 1996 23:15:37 -0500 Received: from pinky.junction.net by VMA.CC.ND.EDU (IBM VM SMTP V2R2) with TCP; Mon, 16 Sep 96 23:15:35 EST Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id UAA10885; Mon, 16 Sep 1996 20:29:31 -0700 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id VAA13581; Mon, 16 Sep 1996 21:10:06 -0700 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Mon, 16 Sep 1996 21:10:06 -0700 Reply-To: Small Internet Access Providers Sender: Small Internet Access Providers From: Michael Dillon Organization: Memra Software Inc. - Internet consulting Subject: Filtering spoofed SYN packets on Livingston's Comments: To: inet-access@earth.com Comments: cc: linuxisp@jeffnet.org, freebsd-isp@freebsd.org, os2-isp@dental.stat.com To: Multiple recipients of list IAP Status: RO This is a fragment from the NANOG list archived at http://www.merit.edu It will work on Livingston IRX routers as well as PM2e and PM2eR terminal servers. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com ----------- Fragment of message --------------- create a filter "internet.out" Contents: three lines for each net block you have: permit 1.2.3.4/20 tcp permit 1.2.3.4/20 udp permit 1.2.3.4/20 icmp final line to log (optional) MUST COME AFTER permit list for netblocks: deny log The final line will have the router syslog a message any time someone tries to send from an address outside your blocks, as defined in the rest of the filter. This is optional. Keep in mind that the panix attack would probably have flooded your syslog machine's disk space with syslog info in this case. Hardening that is an issue for another day, however. Apply this to all outbound ports on your gateway IRX routers. You can do similar things with inbound ports on customer connections or other internal routers if you desire to start filtering earlier than your border gateway machines. For example, if 1.2.3.0/21 is your block for your St Louis hub and 2.3.11.0/24 and 2.3.22.0/26 are customer nets there, then the outbound interface for your St Louis IRX could have the following filter on its outbound interface(s): permit 1.2.3.0/21 tcp permit 1.2.3.0/21 udp permit 1.2.3.0/21 icmp permit 2.3.11.0/24 tcp permit 2.3.11.0/24 udp permit 2.3.11.0/24 icmp permit 2.3.22.0/26 tcp permit 2.3.22.0/26 udp permit 2.3.22.0/26 icmp deny log Alternatively you can filter on incoming ports with the same syntax.