SMURF amplifier block list
bross at mindspring.net
Wed Apr 15 20:27:13 UTC 1998
On Wed, 15 Apr 1998, Pete Ashdown wrote:
>> Are we really concerned about being smurfed by a /30, or even a /27?
> We should be concerned about receiving pings floods from two single
> addresses? The the IP size of the network also figures into the nature of
> the attack. Smurfing is made easier by large subnets without
> directed-broadcast turned off. It is a lot more work to get the same
> results from networks smaller than a /27.
Sorry, I should have been more clear. I took that earlier statement to
mean that we shouldn't be concerned about amplification networks smaller
than /24. I felt that was implied by the discussion about filtering
addresses ending in .255. The point I was trying to make is that I have
many networks with masks longer than /24 (the majority of which are
shorter than /27) that would make very effective smurf amplifiers if I
didn't have directed broadcasts turned off. In my experience I've found
that many networks use /24's, not because they necessarily need 254 hosts
on that network, but because it's convienent since the network/host number
falls on an octet boundry. Most of these networks I've seen have
significantly less than 254 hosts on them. My networks with longer masks
are much denser than what I've seen is the average /24, and therefore
possibly more dangerous as amplifiers.
Brandon Ross Network Engineering 404-815-0770 800-719-4664
Chief Network Engineer MindSpring Enterprises, Inc info at mindspring.com
Mosher's Law of Software Engineering: Don't worry if it doesn't work
right. If everything did, you'd be out of a job.
More information about the NANOG