smurf's attack...

Rick Summerhill rrsum at cody.flinthills.com
Fri Sep 5 21:23:45 UTC 1997


On Fri, 5 Sep 1997, Jordyn A. Buchanan wrote:

> At 2:45 PM -0500 9/5/97, Jon Green wrote:
> >On Fri, 5 Sep 1997 15:24:58 -0400, jordyn at bestweb.net writes:
> >
> >>We're also using the following extended access list (along with
> >>anti-spoofing filters) to prevent smurf attacks from originating from our
> >>network:
> >>
> >>access-list XXX deny ip any 0.0.0.255 255.255.255.0
> >
> >
> >Folks, this is a bad idea.  There are lots of completely valid IP
> >addresses out there that end in .255.  True, most of them that
> >end in .255 ARE broadcast addresses, but if people implement this
> >kind of filtering on a large scale, it really breaks classless IP.
> 
> Eep, this is true.  (Stupid me).
> 
> Haven't had any complaints yet from users unable to access anything yet,
> but so much for making the 'Net slightly safer from this crap.

Well, I'm not so sure it is a bad idea in all cases.  Like anything, you
should apply this with a little forthought, however.  If you know how your
network is configured, if you know how people have carved up their class B's
and such, you can eliminate a lot of the problems by doing this kind
of thing, especially if your network is not too large.  It won't stop
a broadcast sent to a network like 129.129.4.0/22 (i.e. 129.129.7.255),
and the same is true for smaller networks, but if you have a bunch of class
B's and you have carved them up into /24's, then you can catch a lot of
the problems by doing just that filter.  As a general rule, for everyone,
probably not!

--Rick

--
Rick Summerhill                          Network administrator, KANREN
5008 Canyon Road                         The University of Kansas
Manhattan, KS 66503                      rrsum at kanren.net
(785) 539-6796                           rrsum at cody.flinthills.com




More information about the NANOG mailing list