Date: Wed, 13 Jan 1999 10:13:55 +0100 From: David TILLOY To: BUGTRAQ@netspace.org Subject: [(PM) PM3s Die - Comfirmed DoS Attack (fwd)] This is a message from Livingston PM3 users mailing-list. It seems there is a problem with PM3, and Lucent work on this bug. At this time, the solution is give a the end of this message... Best Regards, David. ----- Forwarded message from Romain GUESDON ----- ---------- Forwarded message ---------- Date: Tue, 12 Jan 1999 14:50:35 -0700 (MST) >From: Doug Ingraham To: Robert Blayzor Cc: portmaster-users@livingston.com Subject: Re: (PM) PM3s Die - Comfirmed DoS Attack On Tue, 12 Jan 1999, Robert Blayzor wrote: > Yes, it's confirmed. PM3's are susceptible to a heavy DoS attack. > Anyone with access to a decent (T1 or possibly less) Internet connection > can completely hose your ethernet segment on which your PM3(s) live. > > For security reasons I will not post how to reproduce the problem here. > But if you monitor your PM3's and your network closely, you'll know > when this happens. Suddenly, your PM3 segment will go from about 50k > to over 6M+ (or more)... > > The problem has been reported to Lucent and they said they will be > working on it. I just want to let everyone be aware that if you start > seeing this problem on your network, you'll know why. > > I will hint to you that it has to do with the PM3 advertising routes > on your network, but when packets arrive at the PM3, the PM3 stupidly > forwards the packets back to the gateway, causing a packet loop on > your network until the TTL expires. > > -Enjoy, this one is a fun one. This was discussed a long time ago. I ran into it on one of my PM-2's before the PM3 even existed. The solution is an ofilter on the ethernet. If your pm's ethernet address is 192.168.0.10 and If your assigned IP's are 192.168.2.16 with a poolsize of 48 as an example your filter needs to look like: add fil e.out set fil e.out 1 permit 192.168.2.32/27 set fil e.out 2 permit 192.168.2.16/28 set fil e.out 3 permit 192.168.0.10/32 set fil e.out 4 deny log If you have routes assigned by radius you will need to also include those permits. This solves the problem because it allows the box to only source routes that it is supposed to be able to source. If you do this on all boxes and on your borders nobody will be able to spoof those IP addresses and inject them into your network and so they won't bounce between your PM and your router like they do now a couple of hundred times before the ttl expires. Doug Ingraham You can judge the quality of your life by how often Rapid City, SD you notice the enjoyment of the little things. USA ----- End forwarded message ----- -- David TILLOY . Neuronnexion (nnx) 19/21, rue des Augustins . 80000 Amiens . FRANCE Tel (+33 3).22.71.61.90 . Fax (+33 3).22.71.61.99 Mailto:David.TILLOY@neuronnexion.fr