Home page logo
/

nanog logo nanog mailing list archives

Re: SMURF amplifier block list
From: Dean Anderson <dean () av8 com>
Date: Sat, 18 Apr 1998 14:22:25 -0400

Umm, I think this has already been hashed out. This is not the only netmask
on the planet, and you don't know what other networks netmasks are under
CIDR. Trying to guess the netmask just leads to breakage.

All you want to do is stop packets coming in to your broadcast address.
For example, for your network x.y.z/n  (n=24) with your broadcast address
of x.y.z.255: (I presume everyone can translate between CIDR notation and
dotted decimal ;-)

deny ip any x.y.z.255 255.255.255.255

no ip directed broadcast basically puts in the same rule, but it does it
automatically by looking at the netmasks on the interfaces.

                --Dean

Why don't use the filter

deny icmp any 0.0.0.255 255.255.255.0 echo-request

on the incoming lines? It just block 99.999% of this smurf amplifiers;
and I hardly think someone eve sence this restriction for the real PING
tests.

???



On Fri, 17 Apr 1998, Dean Anderson wrote:

Date: Fri, 17 Apr 1998 18:09:08 -0400
From: Dean Anderson <dean () av8 com>
To: jlixfeld () idirect ca
Cc: nanog () merit edu
Subject: Re: SMURF amplifier block list

Does no ip directed broadcast really work?

Yes. It works.

And it works for whatever your particular netmask or broadcast address
happens to be, which is what's important.

The only time you shouldn't do it globally is when some other network
really needs to see broadcasts.  For example, If we manage a client's
network with HP OpenView over the internet, we need to be able to send them
directed broadcasts, so that OpenView host discovery will work.  Patrol
works the same way, as do other products.  In this case you can't use the
"no ip directed broadcast" switch, but you can still set up access rules
which do the same thing except for the permitted network.

Bottom line is that you should protect your network from people who would
either abuse it via smurfing, or simply have no business looking for hosts
on your network. You have the tools to do it.

             --Dean


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           Plain Aviation, Inc                  dean () av8 com
           LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
           We Make IT Fly!                (617)242-3091 x246
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++




Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095)
239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           Plain Aviation, Inc                  dean () av8 com
           LAN/WAN/UNIX/NT/TCPIP/DCE      http://www.av8.com
           We Make IT Fly!                (617)242-3091 x246
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault