Re: smurf's attack...

[Rick Summerhill <rrsum () cody flinthills com>]

On Fri, 5 Sep 1997, Jordyn A. Buchanan wrote:

> At 2:45 PM -0500 9/5/97, Jon Green wrote:
> > On Fri, 5 Sep 1997 15:24:58 -0400, jordyn () bestweb net writes:
> >
> > > We're also using the following extended access list (along with
> > > anti-spoofing filters) to prevent smurf attacks from originating from our
> > > network:
> > >
> > > access-list XXX deny ip any 0.0.0.255 255.255.255.0
> >
> >
> > Folks, this is a bad idea.  There are lots of completely valid IP
> > addresses out there that end in .255.  True, most of them that
> > end in .255 ARE broadcast addresses, but if people implement this
> > kind of filtering on a large scale, it really breaks classless IP.
>
> Eep, this is true.  (Stupid me).
>
> Haven't had any complaints yet from users unable to access anything yet,
> but so much for making the 'Net slightly safer from this crap.

Well, I'm not so sure it is a bad idea in all cases.  Like anything, you
should apply this with a little forthought, however.  If you know how your
network is configured, if you know how people have carved up their class B's
and such, you can eliminate a lot of the problems by doing this kind
of thing, especially if your network is not too large.  It won't stop
a broadcast sent to a network like 129.129.4.0/22 (i.e. 129.129.7.255),
and the same is true for smaller networks, but if you have a bunch of class
B's and you have carved them up into /24's, then you can catch a lot of
the problems by doing just that filter.  As a general rule, for everyone,
probably not!

--Rick

--
Rick Summerhill                          Network administrator, KANREN
5008 Canyon Road                         The University of Kansas
Manhattan, KS 66503                      rrsum () kanren net
(785) 539-6796                           rrsum () cody flinthills com