smurf's attack...
Rick Summerhill
rrsum at cody.flinthills.com
Fri Sep 5 21:23:45 UTC 1997
On Fri, 5 Sep 1997, Jordyn A. Buchanan wrote:
> At 2:45 PM -0500 9/5/97, Jon Green wrote:
> >On Fri, 5 Sep 1997 15:24:58 -0400, jordyn at bestweb.net writes:
> >
> >>We're also using the following extended access list (along with
> >>anti-spoofing filters) to prevent smurf attacks from originating from our
> >>network:
> >>
> >>access-list XXX deny ip any 0.0.0.255 255.255.255.0
> >
> >
> >Folks, this is a bad idea. There are lots of completely valid IP
> >addresses out there that end in .255. True, most of them that
> >end in .255 ARE broadcast addresses, but if people implement this
> >kind of filtering on a large scale, it really breaks classless IP.
>
> Eep, this is true. (Stupid me).
>
> Haven't had any complaints yet from users unable to access anything yet,
> but so much for making the 'Net slightly safer from this crap.
Well, I'm not so sure it is a bad idea in all cases. Like anything, you
should apply this with a little forthought, however. If you know how your
network is configured, if you know how people have carved up their class B's
and such, you can eliminate a lot of the problems by doing this kind
of thing, especially if your network is not too large. It won't stop
a broadcast sent to a network like 129.129.4.0/22 (i.e. 129.129.7.255),
and the same is true for smaller networks, but if you have a bunch of class
B's and you have carved them up into /24's, then you can catch a lot of
the problems by doing just that filter. As a general rule, for everyone,
probably not!
--Rick
--
Rick Summerhill Network administrator, KANREN
5008 Canyon Road The University of Kansas
Manhattan, KS 66503 rrsum at kanren.net
(785) 539-6796 rrsum at cody.flinthills.com
More information about the NANOG
mailing list