RE: (ASCEND) GRF filter to block Smurf attacks

To: <ascend-users@bungi.com>
Subject: RE: (ASCEND) GRF filter to block Smurf attacks
From: Devin Ganger <devin@premier1.net>
Date: Thu, 24 Sep 1998 22:24:10 -0700
Cc: "'Jeremy T. Bouse'" <undrgrid@undergrid.net>
Importance: Normal
In-Reply-To: <640D9810FB47D211B27300A0C9C99DB24246@illian.premier1.net>
Reply-To: <devin@premier1.net>
Sender: owner-ascend-users@max.bungi.com

On 23 Sep 1998, Jeremy T. Bouse wrote:

> Out of curiousity has anyone with a GRF designed a
> filter config to stop smurf (broadcast) attacks? A
> recent "irc packet warrior" decided to smurf one of
> our dial-up boxes and lit our hubs in the NOC up like
> a burning X-mas tree... current fix was to block all
> ICMP traffic from the class B block the broadcast
> packets were coming as. Not the best fix but it
> stopped the X-mas tree affect on the hubs. We're
> looking at a more permanent solution that can keep
> this frmo happening again.

The best I was able to get out of an Ascend engineer is quoted below (names
withheld to protect the guilty):

<begin GRF-Anti-Smurf>
Hi Devin,

Basically, the Answer: The GRF does not forward directed broadcast packets
that it receives from another host.  It will respond to it and it will also
source/sent/originate a directed broadcast packet, for example, you can ping
a directed broadcast address.
<end GRF-Anti-Smurf>

This is such a load of crap; the person who sent this to me is normally a
clueful person, so I can only assume somebody was feeding him extremely bad
data.  I was trivially able to prove this false under 1.4.6, and now that
I'm back on 1.3.11, I suspect I can do the same thing.

Given the extremely sub-standard documentation for the filtering daemon,
I've had neither the time nor the energy to sit down and screw with it until
I figure out where the docs are lying and wrong.  I suspect that situation
will continue until the frame-relay line to my house is installed and I can
make some time to play with it on my line.

<gripe type="disgruntled GRF customer">
Answers like these are just small reasons why those of us who stuck our
necks out to buy GRFs feel like we got left holding the bag.  I've had a
feature request in now for the filtering code for the GRFs to include the
option to filter by source socket (as well as destination) for quite a few
months now, with no word whatsoever.  When I found out that my provider,
Savvis, was hugely dissatisfied with their GRFs and was in the process of
replacing them for Cisco's (after we'd committed to buying the GRF), I felt
more than a bit like the proverbial red-headed stepchild.  It took a threat
to crate the thing back up and send it back to finally get a decent level of
support for the ongoing ATM problems we were having *after* I'd suggested
the eventual fix myself after talking with engineers at Savvis.  ("Oh, no,
Mr. Ganger, you don't have to send your GRF back to us.  It seems that there
are some known problems with ATM and 1.4.6; why don't we roll you back to
1.3.11 plus some patches?"  "You mean, like I suggested that we do two weeks
ago?"  "Uh, uh, uh...")
</gripe>

To give Ascend their due, once we finally got good answers going, the GRF
has been performing flawlessly.  Of course, we have a simple network, and we
come nowhere close to actually stressing the box, but things seem to be
fine.  We haven't had a GRF-related service outage in almost two months,
now.  There's a few good people who work in the GRF tech support trenches
(Hi, Paul and Willie!).

However, bad (or non-existent) documentation, obviously false information
being blindly spouted as the Party line, lack of follow-through from reps
and support engineers, and no response to simple queries (Is there any sort
of reference to the Ascend MIBS for the GRF, other than wading through the
MIBSs themselves?  Are there any plans to correct this?) has left me in the
unenviable position of wishing I'd bought the Other Guy's router -- *any*
Other Guy's router -- and having to tell people who ask that Ascend and the
GRF aren't up to snuff.

--
Devin L. Ganger
Chief Systems Administrator, Premier1 Internet Services, Inc.
"And Hell does not always look like Hell.  On a good day, it can look
a lot like L.A."    -- Dr. Eugene Sands, _Playing God_

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) GRF filter to block Smurf attacks

From: "Neil J. McRae" <neil@DOMINO.ORG>

Prev by Date: (ASCEND) Disconnect and Progress code
Next by Date: Re: (ASCEND) mpp maximum channels?
Prev by thread: Re: (ASCEND) GRF filter to block Smurf attacks
Next by thread: Re: (ASCEND) GRF filter to block Smurf attacks
Index(es):
- Main
- Thread