Re: SMURF amplifier block list

[Brandon Ross <bross () mindspring net>]

On Wed, 15 Apr 1998, Pete Ashdown wrote:

> > Are we really concerned about being smurfed by a /30, or even a /27?
>
> We should be concerned about receiving pings floods from two single
> addresses?  The the IP size of the network also figures into the nature of
> the attack.  Smurfing is made easier by large subnets without
> directed-broadcast turned off.  It is a lot more work to get the same
> results from networks smaller than a /27.

Sorry, I should have been more clear.  I took that earlier statement to
mean that we shouldn't be concerned about amplification networks smaller
than /24.  I felt that was implied by the discussion about filtering
addresses ending in .255.  The point I was trying to make is that I have
many networks with masks longer than /24 (the majority of which are
shorter than /27) that would make very effective smurf amplifiers if I
didn't have directed broadcasts turned off.  In my experience I've found
that many networks use /24's, not because they necessarily need 254 hosts
on that network, but because it's convienent since the network/host number
falls on an octet boundry.  Most of these networks I've seen have
significantly less than 254 hosts on them.  My networks with longer masks
are much denser than what I've seen is the average /24, and therefore
possibly more dangerous as amplifiers. 

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Chief Network Engineer  MindSpring Enterprises, Inc   info () mindspring com
Mosher's Law of Software Engineering:  Don't worry if it doesn't work
right.  If everything did, you'd be out of a job.