Home page logo

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Stephen Sprunk <sprunk () paranet com>
Date: Tue, 14 Apr 1998 16:37:20 -0500

Aaron Beck wrote:

Im kind of under the impression that we're (ok, just me, but anyone
else is welcome to jump on this bandwagon) trying to point out that
class based thinking.. or even "well, most of the net is this" thinking is
probably a bad idea. 

The fact is that a /24 is far more dangerous as a smurf amplifier than a
/30.  Simple math tells you that there's 127 times as many possible
hosts hitting you.

Kludges n' hacks may work most of the time, but
kludges and hacks are just that.. kludgey and hackish.  Hard coded
defines, precompiled bins, etc have proven to be a less elegant method in
other areas of the computing world... why should we repeat the same kind
of mistake in the networking field? 

Who suggested putting a x.x.x.255 filter into IOS itself?  An
access-list in a config is hardly hard-coding.

A smurf attack is just that, a smurf
attack.  Wouldnt the overall goal include removing the attack possibility
in its entirety, not just a temporary solution that may solve some of the
problems, but definetly not all of them?

If you have a suggestion for "removing the attack possibility in its
entirety," please tell us.  So far, nobody's come up with one.

In the meantime, I'd rather solve 99% of the problem and deal with the
remaining 1% than sit around arguing about "class based thinking" and
"stereotypical ideologies" in between smurf attacks.

Assuming that most of the net is based on /24s, and that smaller subnets
are generally internal to those /24's may be a safe assumption, but once
again its probably not the best way to think about this problem (not that
I have any hints on what the best way should be, but im fairly certain
that applying a stereotypical ideology to this is "not a good thing").

Look at the list of IP addresses used in any smurf attack, and they will
almost always be class C or class B broadcast addresses, usually the
address of a NAP or well-connected ISP.  There's no sense targeting a
solution for a problem which doesn't exist.  Solve the general case and
buy time for the more specialized ones.

just my two bits and a lot of run on sentences.


Stephen Sprunk      "Oops."                 Email: sprunk () paranet com
Sprint Paranet        -Albert Einstein      ICBM:  33.00151N 96.82326W

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]