SMURF amplifier block list

Jason Lixfeld jlixfeld at
Fri Apr 24 02:36:58 UTC 1998

Really?  I thought that extended access-lists needed wildcard masks which
is why I said  If an inbound access-list on a hssi says:

access-list 101 deny icmp any

It is denying only packets with a destination to any.any.any.255.  In the
example below, he is actually denying anything from anywhere, not the

deny ip any x.y.z.255

If he wanted to deny ip to broadcasts on a specific network, he would:

deny ip any x.y.z.255 
deny ip any host x.y.z.255

Am I lost here?! =P

On Sun, 19 Apr 1998, Dean Anderson wrote:

:No, because you only want to stop the packets coming into the broadcast
:address, not the entire network. (You may want to block the entire network,
:say for security reasons, but that's a slightly different issue).
:I suspect that you are confused with the wildcarding. The second parameter
:is a mask for the first. All ones on the mask mean it matches exactly the
:first address. Leaving the last octet of the mask 0 means it matches all ip
:addresses that begin with x.y.z, including the broadcast address.
:		--Dean
:At 6:46 PM -0400 4/19/98, jlixfeld at wrote:
:>Uhmm, would the wildcard not be
:>On Sat, 18 Apr 1998, Dean Anderson wrote:
:>:Umm, I think this has already been hashed out. This is not the only netmask
:>:on the planet, and you don't know what other networks netmasks are under
:>:CIDR. Trying to guess the netmask just leads to breakage.
:>:All you want to do is stop packets coming in to your broadcast address.
:>:For example, for your network x.y.z/n  (n=24) with your broadcast address
:>:of x.y.z.255: (I presume everyone can translate between CIDR notation and
:>:dotted decimal ;-)
:>:deny ip any x.y.z.255
:>:no ip directed broadcast basically puts in the same rule, but it does it
:>:automatically by looking at the netmasks on the interfaces.
:           Plain Aviation, Inc                  dean at
:           We Make IT Fly!                (617)242-3091 x246


Jason A. Lixfeld             jlixfeld at
iDirect Network Operations   jlixfeld at

TUCOWS Interactive Ltd. o/a  | "A Different Kind of Internet Company"
Internet Direct Canada Inc.  | "FREE BANDWIDTH for Toronto Area IAPs"
5415 Dundas Street West      |
Suite 301, Toronto Ontario   | (416) 236-5806	     (T)
M9B-1B5 CANADA               | (416) 236-5804        (F)

More information about the NANOG mailing list