Re: IP flooding by using broadcast address

[Joe Rhett <jrhett () ISite Net>]

>          I believe that it's QUITE rare to have an application that
>          is both *routed* and uses the broadcast address.  This is
>          made harder when you VLSM, but I belive the majority of
>          networks are provisioned on an 8 bit boundary, so you can
>          filter 90% of the traffic by filtering to the .255 address.
 
This is a _very_ bad assumption, with a nasty effect on perfectly valid
traffic. Now that bridging (ala switching) is popular again, there are
enormous numbers of supernetted class C networks out there. I can think of
10 sites right now, without thinking hard. I'm sure I could find another
100 without too much work. And that's just the sites I know of personally!!

This simply doesn't work as a mechanism. There are only two solutions:

1. Disable ping reply to your hosts (annoys some people, but prevents this
attacks..)

2. Disable packets to broadcast addresses on the SOURCE networks. This is
the only reliable solution, since only the local admin knows what the nets
are. 

( Unfortunately, cisco router filters are perfectly blind to this sort of
attack. You need two or three filters for each one ...)

>       I think it would be very wise of cisco to have a global flag
> (or at least, a per-interface flag) which would prevent the forwarding
> of a packet to an all-ones address.  If cisco won't add this feature,

Yes!

-- 
Joe Rhett                                                 Systems Engineer
JRhett () ISite Net                                          ISite Services

PGP keys and contact information:     http://www.navigist.com/Staff/JRhett