Craig A. Huegen <chuegen@cisco.com>
Network-Based Denial of Service Attacks
NANOG 13     8
Prevention Techniques (cont’d)
•
•
•How to prevent being a “bounce site” in a “Smurf” or “Fraggle” attack:
Turn off directed broadcasts to networks:
Cisco:  Interface command “no ip directed-broadcast”
As of 12.0, this is default (CSCdj31162)
Proteon:  IP protocol configuration “disable directed-broadcast”
Bay Networks:  Set a false static ARP address for bcast address
3Com:  SETDefault -IP CONTrol = NoFwdSubnetBcast
Use access control lists (if necessary) to prevent ICMP echo requests from entering your network
Configure host machines to not reply to broadcast ICMP echos







•Host Requirements RFC-1122 Section 3.2.2.6 states “An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded.”
•IBM has provided a setting in AIX 4.x to disable responses to broadcast addresses.  It is not available in AIX 3.x.  Use the "no" command to turn it off or on.  NOTE: On AIX 4.x responses are DISABLED by default.
no -o bcastping=0         # disable bcast ping responses (default)
•Solaris can be set not to respond to broadcast ICMP echo requests.  Add the following line to your /etc/rc2.d/S69inet startup:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
•Starting with version 2.2.5, FreeBSD's IP stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default.  The sysctl parameter for this functionality is net.inet.icmp.bmcastecho.
•Under NetBSD, directed broadcasts can be disabled by using the sysctl command:
sysctl -w net.inet.ip.directed-broadcast=0
•Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to completely ignore ICMP echo requests.  Of course, this violates RFC 1122.
•Any system (including Linux) with ipfw can be protected by adding rules such as:
ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8
(replace 123.123.123.0 and 123.123.123.255 with your base network number and broadcast address, respectively)