Organizations that operate networks connected to the Internet may be serving as unwitting participants in Denial of Service (DoS) Attacks like those that hit many organizations in early February, 2000.
You can act now to reduce the chances that your network could be used to damage other networks if you implement the following two steps:
All organizations connected to the Internet should only allow packets to leave their network with valid Source IP Addresses that belong to their network. This will minimize the chance that your network will be the source of a Spoofed DoS Attack. This will not prevent Distributed DoS attacks coming from your network with valid source addresses.
In order to implement this you will need to know the IP network blocks that are in use at your site. If you do not know this information at this time, then please skip to Step 1.2, and come back to this step once you have that information.
Preventing Spoofed Source IP Address traffic can be accomplished with filtering on routers, firewalls, and hosts. Here is a generic example of what the filter needs to look like.
Permit Your Sites Valid Source Addresses to the Internet. Deny All Other Source Addresses.
On the router(s) connected to your ISP(s), if the interface IP address on the link connecting to the ISP is not out of one of your site's IP blocks, you should also permit packets with the interface IP address.
For detailed instructions on implementing this filtering please select the platform that you are using from the list in the "Step One: Detailed Directions" section below.
This step is not necessary if you were able to fully complete Step 1.1.
If you are unsure what address space is in use at your site, then you should at least deny Private (RFC 1918) and Reserved Source IP Addresses.The following is a list of source addresses that should be filtered.
|0.0.0.0/8||- Historical Broadcas|
|10.0.0.0/8||- RFC 1918 Private Network|
|169.254.0.0/16||- Link Local Networks|
|172.16.0.0/12||- RFC 1918 Private Network|
|192.168.0.0/16||- RFC 1918 Private Network|
|220.127.116.11/4||- Class D Multicast|
|240.0.0.0/5||- Class E Reserved|
If you are using Network Address Translation (NAT), you need to make sure that you perform this filtering between your NAT device and your ISP, and you should also verify that your NAT device configuration only translates address used and authorized for your internal address space.
Denying Private and Reserved Source IP Addresses can be accomplished with filtering on routers, firewalls, and hosts. Please select the platform that you are using from the list in the "Step One: Detailed Directions" section below.
Detailed directions for doing this are available for the following systems.http://users.quadrunner.com /chuegen/smurf/ where you'll find Craig Huegen's authoritative page containing instructions for many other types of systems.
The following systems have Directed Broadcast disabled by default. However, these systems may have a way to turn this behavior back on. Please select the link for your platform for information on making sure that the system is in the default state, and does not allow directed broadcasts.http://support.microsoft.com/support/kb/articles/Q152/7/34.ASP
To test your network to see if it is acting as an amplification site you can use the "ping" command to send an ICMP Echo Request packet to the Network Base IP Address of your network(s) and the Broadcast IP Address of your network(s).
You will need to know your Network Base IP Address and your Broadcast IP Address. You may find the CIDR Table helpful in determining these addresses for your network.
From a machine on the Internet side of your router (i.e. off your site) ping both the Network Base Address (x.x.x.0 for a /24 aka Class C) and the Broadcast Address (x.x.x.255 for a /24 aka Class C) of an internal subnet with a number of machines on it.
Please select from the following list of operating systems for detailed instructions on using the ping command and analyzing the output to determine if your network is a Broadcast Amplification site.
Please be aware that these sites are operated by independent third parties, and that you should use them at your own risk. If your site is in really poor shape it may get added to a "blacklist" that can then be used by attackers to identify your site as a good broadcast amplification site. Because of this you are strongly encouraged to self test with the ping commands listed above first.
When you purchase new systems, require that the vendor disable receipt and forwarding of directed broadcast packets as specified in RFC 2644.
Based on this you should be asking your vendors to ship systems with Directed Broadcast disabled by default. At the very least the vendor should provide a mechanism to disable Directed Broadcasts.
Some vendors already disable IP directed broadcast by default in the latest versions of their software, but many do not. Please help educate these other vendors by pointing them to RFC 2644.