Craig A. Huegen
<chuegen@cisco.com>
Network-Based Denial of Service
Attacks
NANOG 12 13
Prevention Techniques
•How
to prevent being a “bounce site” in a “Smurf”
attack:
Turn off
directed broadcasts to networks:
Cisco: Interface command “no ip
directed-broadcast”
Proteon: IP protocol configuration “disable
directed-broadcast”
Bay
Networks: Set a false static ARP
address for bcast address
Use access
control lists (if necessary) to prevent ICMP echo requests from entering your network
Encourage
vendors to turn off replies for ICMP echos to broadcast addresses
Host
Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast
address MAY be silently
discarded.”
Patches are
available for free UNIX-ish operating systems.