Home page logo
/

nanog logo nanog mailing list archives

Re: IP flooding by using broadcast address
From: Joe Rhett <jrhett () ISite Net>
Date: Sat, 19 Jul 1997 21:11:28 -0700 (PDT)


         I believe that it's QUITE rare to have an application that
         is both *routed* and uses the broadcast address.  This is
         made harder when you VLSM, but I belive the majority of
         networks are provisioned on an 8 bit boundary, so you can
         filter 90% of the traffic by filtering to the .255 address.
 
This is a _very_ bad assumption, with a nasty effect on perfectly valid
traffic. Now that bridging (ala switching) is popular again, there are
enormous numbers of supernetted class C networks out there. I can think of
10 sites right now, without thinking hard. I'm sure I could find another
100 without too much work. And that's just the sites I know of personally!!

This simply doesn't work as a mechanism. There are only two solutions:

1. Disable ping reply to your hosts (annoys some people, but prevents this
attacks..)

2. Disable packets to broadcast addresses on the SOURCE networks. This is
the only reliable solution, since only the local admin knows what the nets
are. 

( Unfortunately, cisco router filters are perfectly blind to this sort of
attack. You need two or three filters for each one ...)

      I think it would be very wise of cisco to have a global flag
(or at least, a per-interface flag) which would prevent the forwarding
of a packet to an all-ones address.  If cisco won't add this feature,

Yes!

-- 
Joe Rhett                                                 Systems Engineer
JRhett () ISite Net                                          ISite Services

PGP keys and contact information:     http://www.navigist.com/Staff/JRhett


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]