North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: smurf's attack...
On Fri, 5 Sep 1997, Jordyn A. Buchanan wrote: > At 2:45 PM -0500 9/5/97, Jon Green wrote: > >On Fri, 5 Sep 1997 15:24:58 -0400, firstname.lastname@example.org writes: > > > >>We're also using the following extended access list (along with > >>anti-spoofing filters) to prevent smurf attacks from originating from our > >>network: > >> > >>access-list XXX deny ip any 0.0.0.255 255.255.255.0 > > > > > >Folks, this is a bad idea. There are lots of completely valid IP > >addresses out there that end in .255. True, most of them that > >end in .255 ARE broadcast addresses, but if people implement this > >kind of filtering on a large scale, it really breaks classless IP. > > Eep, this is true. (Stupid me). > > Haven't had any complaints yet from users unable to access anything yet, > but so much for making the 'Net slightly safer from this crap. Well, I'm not so sure it is a bad idea in all cases. Like anything, you should apply this with a little forthought, however. If you know how your network is configured, if you know how people have carved up their class B's and such, you can eliminate a lot of the problems by doing this kind of thing, especially if your network is not too large. It won't stop a broadcast sent to a network like 126.96.36.199/22 (i.e. 188.8.131.52), and the same is true for smaller networks, but if you have a bunch of class B's and you have carved them up into /24's, then you can catch a lot of the problems by doing just that filter. As a general rule, for everyone, probably not! --Rick -- Rick Summerhill Network administrator, KANREN 5008 Canyon Road The University of Kansas Manhattan, KS 66503 email@example.com (785) 539-6796 firstname.lastname@example.org