smurf's attack...

• Previous message (by thread): smurf's attack...
• Next message (by thread): smurf's attack...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > Likewise, not all broadcast adresses necessarily end with .255, 
> > so filtering .255 won't help anyway in the presence of something
> > like a /25 with a X.X.X.127 broadcast.
> 
> Agreed but it is not easy for a hacker to determine CIDR masks.  It
> is my impression that the only thing being sent is classfull broadcasts.

   That's unfortunatly not true.  My hope is that this will change -
I just sent CERT an advisory about this, and they're contacting 
several vendors whose equipment is misconfigured - but a very large
number of systems out there will very cheerfully let you know their
broadcast mask in violation of the Host Requirements RFC.

   It would take a bit more work to code a "smurf" program to first
determine the broadcast mask, but since the smurf program uses 
hardcoded target addresses, all it would take is for someone to
probe a few networks adequately, build them in to the next release
of the smurf program, and start using it.

   I agree with the point of the discussion, however - many, many
networks are broken in to /24s for various reasons, but blocking
packets _outbound_ to what you presume are broadcast addresses
is a bad thing.

   (Btw:  If you feel the desire to _not_ let your netmasks hang
out in the open, you can use an access list like:

   access-list blah deny icmp any any mask-request

   Most sites should have NO need to allow mask requests or replies
in and out of their internal network).

    -Dave Andersen

• Previous message (by thread): smurf's attack...
• Next message (by thread): smurf's attack...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]