[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Fwd: Re: Smurf attack
> To: Paul Cunningham <[email protected]> > > To the best of my knowledge, I would think you would > want to call your ISP and have them change their > routers to stop the attack, assuming the attack is > coming from a leased line to the internet. You can > change the rules on your firewall to stop the attack > there, but if your ISP's routers are still > vulnerable, > that won't fix your problem. You'd probably want to > get your ISP's help to try to figure out where the > attack is coming from, as maybe law enforcement > might > be interested. > > If the attack is coming from inside your network, a > firewall probably won't help, though if you have > internal routers those might be able to help. > > As far as blocking ICMP on your firewall, I don't > know > if I can help you from here, but on my Firewall-1 v4 > GUI, first I have to go into the Security Policy > program and go into Policy, Properties, Access > Lists, > and remove the checkbox for Allow ICMP. Then, you > have to read the rules in your rulebase one by one > to > make sure there isn't a rule that allows ICMP or all > traffic out from your network to the untrusted > network. Be sure to select View, Implied > Pseudo-Rules > to see the hidden rules in yellow which are put > there > by the options under Policy, Properties. > > You could add a rule that blocks ICMP traffic, but > where you add the rule makes a big difference as the > rules are processed top to bottom. You probably > want > to add the rule near the top of the rulebase, or at > least before you start seeing rules that allow > traffic. The rule might look like this: > > Source = source of the attacks > Destination = All or = Attacked Network > Service = ICMP > Action = Drop > Track = Short or Long [again look at the other > rules] > Install On = Your firewall [look at how the other > rules are set up here] > Time = Any > > Note that a rule allowing traffic out also allows > the > responses to that traffic back in, so you don't have > to set up a second rule to allow the traffic back > in. > > When you're happy with the rule, click on Save, then > click on Policy, Install, and then test the network > after the rulebase is installed to make sure > everything is working as expected. Also, initiate > some test ICMP traffic from the untrusted network > and > check the log viewer to make sure the traffic you > want > to drop is being dropped. You can filter on > Service/Protocol = ICMP, or Action = Drop, or both. > > Why do you suspect a Smurf attack? If you're not > sure > whether or not you are really having a Smurf attack, > the FW-1 Log Viewer is your friend. Right-click on > the headers to select the type of traffic you're > trying to see [e.g. choose to look just at the ICMP > protocol and maybe filter out entries by > destination]. > > http://www.grc.com/ has an interesting story on how > they handled a similar attack. > > I hope this helps. It's hard to help with a problem > like this from here without knowing more details > about > your software and hardware and network. Let me know > if anything interesting happens. > > > --- Paul Cunningham <[email protected]> wrote: > > > > Hello all, > > > > I am a newbie with this software and have been > > thrust into a situation that > > requires me to write a rule for my firewall > denying > > all ICMP traffic. Our > > regular administrator is unreachable and we have > no > > tech support. I need to > > lock this down to stop a "Smurf" attack on my > > network. If anyone might be > > kind enough to lend me a hand I would appreciate > it. > > I'm sure it's easy for > > people who are well versed in the software, but I > am > > looking at it for the > > first time today! I'm sure that rule may already > be > > in place, but need to > > verify that. I figured out the basics on how to > > create the rule, but I'm not > > sure where the objects should be placed and what, > if > > any, advanced features > > I need to invoke. > > > > Thanks, > > > > Paul > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at > > http://explorer.msn.com/intl.asp > > > > > > > > > ================================================================================ > > To unsubscribe from this mailing list, please > > see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > ================================================================================ > > > > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute > with Yahoo! Messenger > http://phonecard.yahoo.com/ > __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|