[45197] in North American Network Operators' Group
Re: traffic filtering
daemon@ATHENA.MIT.EDU (Avleen Vig)
Mon Jan 21 20:55:04 2002
Date: Tue, 22 Jan 2002 01:47:47 +0000 (GMT)
From: Avleen Vig <lists-nanog@silverwraith.com>
To: Stephen Griffin <stephen.griffin@rcn.com>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <200201212253.RAA05576@elektra.ultra.net>
Message-ID: <20020122013206.N66495-100000@apple.silverwraith.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 21 Jan 2002, Stephen Griffin wrote:
>
> Is this type of filtering common? What alternate solutions are available
> to mitigate (I'm assuming) concerns about smurf amplifiers, that still
> allow traffic to/from legitimate addresses. What rationale is used to
> filter all traffic to network/broadcast addresses of /24 networks while
> ignoring network/broadcast of /25-/30? For that matter, what percentage
> of smurf amplifiers land on /24 boundaries?
As of last Monday / Tuesday, approximately 45% of all smurf amplifiers in
the RIPE region had addresses ending in .0 or .255 [1].
I'm unsure about ARIN / APNIC IP space.
I would certainly hope the kind of filtering you mention is uncommon :)
If you filter on your ingress, packets who destination address ends in .0
or .255, and you are a smurf amplifier, you're only stalling the
inevitable.
The best course of action is to fix the smurf amplifier itself :)
Check http://www.ircnetops.org/smurf/faq.php if you need to do this.
Regards,
[1] = Data provided by SAFE (http://www.ircnetops.org/smurf)
--
Avleen Vig
Network Security Officer
Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf
