i've been reading the book "linux firewall" and came across this few lines to block smurf attacks:

#smurf attack
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -d $BROADCAST_DEST -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -d $BROADCAST_DEST -j REJECT -l

#smurf attack - network mask
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -d $NETMASK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -d $NETMASK -j REJECT -l

#smurf attack - network address
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp -d $NETWORK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp -d $NETWORK -j REJECT -l

i do not understand why does the last 2 sets put the destination as NETMASK AND NETWORK?

isn't blocking the BROADCAST_DEST enough?

thanks.

Blocking the broadcast address will keep you from becomming part of a smurf attack. Ignoring icmp in general will go a little ways toward protecting you from being attacked.

This really should be something your ISP handles, they shouldn't be routing broadcast packets... But it doesn't hurt for you to block them too.

but why does the book goes into denying/rejecting packets with destination $NETMASK and $NETWORK?

thanks again!

Blocking packets with the $NETWORK destination would be blocking packets aimed at your network... that would be protecting you from part of the attack (trying to anyway).

I don't know about blocking $NETMASK... possibly adding additional coverage... Not quite sure.

[This message has been edited by Golden_Eternity (edited 08 October 2000).]

The netmask is in general the broadcast address for a network.

Jeremy

AAH! IT'S PAPA SMURF! RUN!

Originally posted by jemfinch:
The netmask is in general the broadcast address for a network.

Jeremy

The broadcast address is the netmask followed by .255's to complete the address...

But he already had the broadcast address blocked...