SMURF amplifier block list

• Previous message (by thread): SMURF amplifier block list
• Next message (by thread): SMURF amplifier block list
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

:: Jay R. Ashworth writes ::
> 
> No, IMHO, the comment stands: no matter _what_ size your network is, if
> you assign host addresses with a .0 or .255 final octet, things may
> break, and you deserve what you get.

.255 and .0 are prefectly valid on /23 and shorter-prefixed subnets. 
But many people have made that argument, so I'll get to a much more
important point:

There's no benefit at all to filtering .255 if your network is properly
configured.

(1) Let's suppose I block packets coming in to my network that have a
source address of X.X.X.255.  This does nothing for me.  Specifically,
it doesn't prevent amplified ECHO REPLYs from coming in.  Why?  Because
those packets don't have the source address of the broadcast address
that was used to get the amplification effect.  They have the unicast
source address of the individual machines that answeres the ECHO
REQUESTS.  That is, let's suppose your Web Server is 200.200.5.5. 
Let's suppose that 100.100.100/24 is a viable amplification subnet.  If
I send ECHO REQUESTS with Source=200.200.5.5,
Destination=100.100.100.255, you will see lots of ECHO REPLYs coming at
your Web Server.  None will have Source Address 100.100.100.255. 
Instead, they will have Source Address 100.100.100.X, with 1<=X<=254.

(2) Let's suppose I block packets leaving my network with a destination
address of X.X.X.255.  This would tend to prevent users on my network
from initiating smurf attacks (in the above example, they would be
unable to send packets to the 100.100.100.255 amplifier).  But this is
an incredibly suboptimal way of preventing my users from launching
smurf attacks.  What I actually implement is filters that prevent
packets from leaving my network with a source address that isn't in my
address space.  This makes it impossible for my users to smurf anyone
but me (because, using the above example again, they can't get the
packets with Source Address 200.200.5.5 out of my network).

In other words, blocking Source Address=X.X.X.255 inbound does
absolutely nothing to prevent your network from being smurfed, and as
long as you properly configure to prevent source-address forgery,
blocking Destination Address=X.X.X.255 from leaving your network is
superfluous.

(Of course, blocking Destination Address=X.X.X.255 from coming in is
strictly a personal decision.  If you know all your networks are at
least as big as a /24, and you know that you don't use X.X.X.255 and
X.X.X.0, then blocking inbound packets to X.X.X.255 is a perfectly
valid way to configure your router to prevent yourself from being used
as an amplifier.  But that doesn't require that *other people* refrain
from using X.X.X.{0|255}, only that you do.)

          - Brett  (brettf at netcom.com)
 
------------------------------------------------------------------------------
                               ... Coming soon to a      | Brett Frankenberger
.sig near you ... a Humorous Quote ...                   | brettf at netcom.com
 

• Previous message (by thread): SMURF amplifier block list
• Next message (by thread): SMURF amplifier block list
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]