[16225] in North American Network Operators' Group
Re: SMURF amplifier block list
daemon@ATHENA.MIT.EDU (Pete Ashdown)
Wed Apr 15 15:41:48 1998
From: Pete Ashdown <pashdown@xmission.com>
To: bross@mindspring.net (Brandon Ross)
Date: Wed, 15 Apr 1998 13:32:48 -0600 (MDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.3.96.980414174344.14130X-100000@xymox.netops.mindspring.net> from "Brandon Ross" at Apr 14, 98 05:50:02 pm
Brandon Ross said once upon a time:
>
>On Tue, 14 Apr 1998, Stephen Sprunk wrote:
>
>> Are we really concerned about being smurfed by a /30, or even a /27?
>
>You should be. If I didn't have directed broadcasts turned off on my
>network, it would be a very effective smurf amplifier. Because ARIN keeps
>us on a very short leash, we use the smallest subnet we can get away with
>for our POPs. Some such sites are very well connected.
We should be concerned about receiving pings floods from two single
addresses? The the IP size of the network also figures into the nature of
the attack. Smurfing is made easier by large subnets without
directed-broadcast turned off. It is a lot more work to get the same
results from networks smaller than a /27.
