Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Dan Boehlke <dboehlke () mr net>
Date: Sat, 18 Apr 1998 12:39:29 -0500 (CDT)

What about people who didn't subnet their class B on the eight bit 
boundry, but made larger subnets instead?  What about the class B that 
doesn't appear to be subnetted at all?  What about supernetted class C 
networks?  A trailing .255 can be a valid host.

On Sat, 18 Apr 1998, Alex P. Rudnev wrote:

Why don't use the filter

 deny icmp any 0.0.0.255 255.255.255.0 echo-request

on the incoming lines? It just block 99.999% of this smurf amplifiers; 
and I hardly think someone eve sence this restriction for the real PING 
tests.

???



On Fri, 17 Apr 1998, Dean Anderson wrote:

Date: Fri, 17 Apr 1998 18:09:08 -0400
From: Dean Anderson <dean () av8 com>
To: jlixfeld () idirect ca
Cc: nanog () merit edu
Subject: Re: SMURF amplifier block list

Does no ip directed broadcast really work?

Yes. It works.

And it works for whatever your particular netmask or broadcast address
happens to be, which is what's important.

The only time you shouldn't do it globally is when some other network
really needs to see broadcasts.  For example, If we manage a client's
network with HP OpenView over the internet, we need to be able to send them
directed broadcasts, so that OpenView host discovery will work.  Patrol
works the same way, as do other products.  In this case you can't use the
"no ip directed broadcast" switch, but you can still set up access rules
which do the same thing except for the permitted network.

Bottom line is that you should protect your network from people who would
either abuse it via smurfing, or simply have no business looking for hosts
on your network. You have the tools to do it.

            --Dean


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           Plain Aviation, Inc                  dean () av8 com
           LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
           We Make IT Fly!                (617)242-3091 x246
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++




Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)


--
Dan Boehlke, Senior Network Engineer                          M R N e t
Internet:  dboehlke () mr net                       A MEANS Telcom Company
Phone:  612-362-5814                  2829 SE University Ave. Suite 200
WWW: http://www.mr.net/~dboehlke/                Minneapolis, MN  55414



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault