Home page logo

nanog logo nanog mailing list archives

Re: Filtering ICMP (Was Re: SMURF amplifier block list)
From: Michael Dillon <michael () memra com>
Date: Mon, 20 Apr 1998 23:12:46 -0700 (PDT)

On Tue, 21 Apr 1998, Mark Whitis wrote:

Really, you should filter the known broadcast addresses of
your downstream networks with the cooperation of those networks.

Exactly! You can run your own tests for likely broadcast addresses and if
you find an open broadcast address you should contact the downstream
network and ask if they can block directed broadcasts and if they can't
then you should get their permission to filter traffic to the open
broadcast address and regardless of their permission you should contact
the vendor of their equipment to inquire why the equipment is broken and
unsuitable for use on the Internet. And it would be nice to forward any
vendor info to Craig Huegen chuegen () quadrunner com so he can update his
SMURF document and submit it for publication as an informational RFC with
all the vendor info in place.

What I was objecting to was the idea that some ISP would get
the idea that it was a good idea to filter all .255 destined traffic
passing through their network


Actually, even if they don't know the subnet structure before hand, they
will discover this, as far as is relevent to smurfing, when they perform
a smurf scan on their own CIDR blocks.  Any address that results in
multiple smurf type echo replies from different addresses would be
considered a broadcast address; any that didn't, wouldn't.

Exactly! And by cleaning up your downstream vulnerabilities you reduce the
chances that your entire address space will be blocked by other network

Michael Dillon                   -               Internet & ISP Consulting
http://www.memra.com             -               E-mail: michael () memra com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]