smurf's attack..i

Steve Noble steve at altrina.exodus.net
Fri Sep 5 21:40:29 UTC 1997


If you are going to filter, you can just filter ICMP for now, thats the
major protocol used in the attack, that way you are only slightly
affecting those who might have a .255 address on one of their machines.

so 
access-list xxx deny icmp any 0.0.0.255 255.255.255.0 and 
access-list xxx deny icmp any 0.0.0.0 255.255.255.0 are pretty safe ones.

Oh yes, if you didn't notice already they are using the .0 network
address, and from what i've seen the amount of attacks launched using .0
as compared to .255 have been steadily rising.  

And while turning off ip directed broadcast will mostly take care of this
issue, it's only a complete solution if your customers also do it, so
filtering is still a good idea IMHO. 

On Fri, 5 Sep 1997, Phil Howard wrote:

> Randy Bush writes...
> 
> > > access-list XXX deny ip any 0.0.0.255 255.255.255.0
> > 
> > You must be kidding.  Why not
> > 
> > access-list XXX deny ip any 0.0.0.42 255.255.255.0
> 
> I like...
> 
> access-list XXX deny ip any 0.0.0.1 255.255.255.254
> 
> ...better.
> 
> -- 
> Phil Howard KA9WGN   +-------------------------------------------------------+
> Linux Consultant     |  Linux installation, configuration, administration,   |
> Milepost Services    |  monitoring, maintenance, and diagnostic services.    |
> phil at milepost.com +-------------------------------------------------------+




More information about the NANOG mailing list