Reporter Packet Storm
`Date: Wed, 13 Jan 1999 10:13:55 +0100
From: David TILLOY <dav@NNX.COM>
Subject: [(PM) PM3s Die - Comfirmed DoS Attack (fwd)]
This is a message from Livingston PM3 users mailing-list. It seems there
is a problem with PM3, and Lucent work on this bug. At this time, the
solution is give a the end of this message...
----- Forwarded message from Romain GUESDON <email@example.com> -----
---------- Forwarded message ----------
Date: Tue, 12 Jan 1999 14:50:35 -0700 (MST)
>From: Doug Ingraham <firstname.lastname@example.org>
To: Robert Blayzor <email@example.com>
Subject: Re: (PM) PM3s Die - Comfirmed DoS Attack
On Tue, 12 Jan 1999, Robert Blayzor wrote:
> Yes, it's confirmed. PM3's are susceptible to a heavy DoS attack.
> Anyone with access to a decent (T1 or possibly less) Internet connection
> can completely hose your ethernet segment on which your PM3(s) live.
> For security reasons I will not post how to reproduce the problem here.
> But if you monitor your PM3's and your network closely, you'll know
> when this happens. Suddenly, your PM3 segment will go from about 50k
> to over 6M+ (or more)...
> The problem has been reported to Lucent and they said they will be
> working on it. I just want to let everyone be aware that if you start
> seeing this problem on your network, you'll know why.
> I will hint to you that it has to do with the PM3 advertising routes
> on your network, but when packets arrive at the PM3, the PM3 stupidly
> forwards the packets back to the gateway, causing a packet loop on
> your network until the TTL expires.
> -Enjoy, this one is a fun one.
This was discussed a long time ago. I ran into it on one of my PM-2's
before the PM3 even existed. The solution is an ofilter on the ethernet.
If your pm's ethernet address is 192.168.0.10 and If your assigned IP's
are 192.168.2.16 with a poolsize of 48 as an example your filter needs to
add fil e.out
set fil e.out 1 permit 192.168.2.32/27
set fil e.out 2 permit 192.168.2.16/28
set fil e.out 3 permit 192.168.0.10/32
set fil e.out 4 deny log
If you have routes assigned by radius you will need to also include those
This solves the problem because it allows the box to only source routes
that it is supposed to be able to source. If you do this on all boxes and
on your borders nobody will be able to spoof those IP addresses and inject
them into your network and so they won't bounce between your PM and your
router like they do now a couple of hundred times before the ttl expires.
Doug Ingraham You can judge the quality of your life by how often
Rapid City, SD you notice the enjoyment of the little things.
----- End forwarded message -----
David TILLOY . Neuronnexion (nnx)
19/21, rue des Augustins . 80000 Amiens . FRANCE
Tel (+33 3).220.127.116.11 . Fax (+33 3).18.104.22.168