Subject: DOS attacks - New Filters which affect Ping Newsgroups: lobby,announcements Because our site has been the target of a number of denial of service attacks that have come in the form either of UDP or ICMP floods, I have implemented new filter rules at the Sprint end of the T1 links to prevent saturation of our links by net terrorists. The vast majority of these attacks are directed at either our IRC servers or Chat, the machine used to run bots, and so for some time we have had ICMP and UDP filtered towards those machines upstream. More recently, eskimo, tia1, and various dial-up PPP addresses have been targeted. About 99.99% of the time, these attacks occur when someone in IRC angers someone else, or someone else wants to take over their channel, and so they launch a denial of service attack against thier ISP in an effort to blow them off the net. The IRC servers are attacked because one method of taking over channels involves splitting a server from the rest of the net. And though with time stamps its not terribly effective they still try it. There are also jerks that just get off on blowing 400 clients off a busy server or disrupting network connectivity in general. Chat is targeted because bots are run there and if someone wants to take over a channel protected by a bot, a prerequesite is to get rid of the bot, so they try to flood that machine off the net. Eskimo is targeted because people run Unix IRC clients here, and because it's an obvious target if you're just trying to saturate the links and blow everyone on the ISP off the net. Tia1 is targeted because people run irc clients on their own machines connected via emulated SLIP or PPP. Dial-up IP addresses are targeted because people run irc clients or bots via real PPP or SLIP. Filtering IP is a bit of a double-edged sword, it is impossible to filter all possible attacks and still provide any services because any service is a possible target of an attack. So there is a trade off between functionality and security that must be made. Since the majority of recent attacks are smurf attacks, which work by sending ICMP echo request packets to the open broadcast address of a network that has a lot of hosts, a lot of bandwidth and no meaningful security, with the source address forged to be that of the target machine thus causing every host on that network to send echo replies flooding the target, filtering ICMP echo replies is the largest part of these filtering rules. ICMP echo replies are now blocked to all of the irc, hub, chat, eskimo, and tia1, as well as all of the dial-up address space. This has the unfortunate side effect of breaking ping. I apologize for this but the alternative is to have regular 15-20 minute (however long it takes us to get Sprint to respond on the fly) outages when some twit in IRC gets his nose bent out of joint or is just plain acting maliciously and launches a DOS attack. UDP is also blocked to chat, irc, hub, and tia1, with holes cut through for uping on hub and irc, and a hole for name service on tia1. IRCD is a tcp based service as are bots, and so is not necessary for irc or hub except for uping and not necessary for chat. These rules aren't new, but blocking udp to tia1 is. Since UDP services aren't supported by emulated SLIP/PPP this should not affect functionality on that machine. Anybody needing UDP over PPP should request non-dedicated SLIP/PPP which does support this. These filters as I've stated won't stop all possible attacks, but is really difficult to be more thourough without really causing major functionality problems. If someone who knows Cisco filtering rules can show me how to make an access list entry that would deny ICMP echo reply with packet sizes larger than about 100 bytes, this would allow us to stop smurf attack (which use large packets, usually about 1kb) without breaking ping.