[12141] in North American Network Operators' Group
Re: smurf's attack...
daemon@ATHENA.MIT.EDU (Rick Summerhill)
Fri Sep 5 17:41:45 1997
Date: Fri, 5 Sep 1997 16:23:45 -0500 (CDT)
From: Rick Summerhill <rrsum@cody.flinthills.com>
To: "Jordyn A. Buchanan" <jordyn@bestweb.net>
cc: nanog@merit.edu
In-Reply-To: <v03102814b0361462a1ad@[209.94.100.34]>
On Fri, 5 Sep 1997, Jordyn A. Buchanan wrote:
> At 2:45 PM -0500 9/5/97, Jon Green wrote:
> >On Fri, 5 Sep 1997 15:24:58 -0400, jordyn@bestweb.net writes:
> >
> >>We're also using the following extended access list (along with
> >>anti-spoofing filters) to prevent smurf attacks from originating from our
> >>network:
> >>
> >>access-list XXX deny ip any 0.0.0.255 255.255.255.0
> >
> >
> >Folks, this is a bad idea. There are lots of completely valid IP
> >addresses out there that end in .255. True, most of them that
> >end in .255 ARE broadcast addresses, but if people implement this
> >kind of filtering on a large scale, it really breaks classless IP.
>
> Eep, this is true. (Stupid me).
>
> Haven't had any complaints yet from users unable to access anything yet,
> but so much for making the 'Net slightly safer from this crap.
Well, I'm not so sure it is a bad idea in all cases. Like anything, you
should apply this with a little forthought, however. If you know how your
network is configured, if you know how people have carved up their class B's
and such, you can eliminate a lot of the problems by doing this kind
of thing, especially if your network is not too large. It won't stop
a broadcast sent to a network like 129.129.4.0/22 (i.e. 129.129.7.255),
and the same is true for smaller networks, but if you have a bunch of class
B's and you have carved them up into /24's, then you can catch a lot of
the problems by doing just that filter. As a general rule, for everyone,
probably not!
--Rick
--
Rick Summerhill Network administrator, KANREN
5008 Canyon Road The University of Kansas
Manhattan, KS 66503 rrsum@kanren.net
(785) 539-6796 rrsum@cody.flinthills.com