Re: Odd DDoS, anyone else seen this?

[variable () ednet co uk]

On Mon, 25 Nov 2002, Stephen J. Wilcox wrote:

> Glad to know its not just me..

DDoS is a problem for everyone, but only a few people seem to be trying to 
do anything about it.
 
> FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be
> technically incorrect to block it assuming it to be a network address
> and therefore bogon.

Agreed, but did a we quick risk analysis and we thought blocking the DDoS
was the lesser of the two evils.  Again, if anyone is actually using
x.x.0.0 addresses for hosts it would be useful to know.

> However this may be a way to do it if we see another attack, altho I
> would strongly recommend against filtering x.x.x.0 I would doubt that
> there are any valid x.x.0.0 host on the internet so could filter on
> that..

That's what I expected, but wanted to see what effect it would have on 
legitimate traffic first.  Again, it would be useful to know if anyone is 
dropping hosts on to x.x.x.0 as well. 

I know that these are both legitimate IP addresses, but if they are only 
being used for DDoS then surely we should look at locking them down (in 
the same way as broadcast packets have been)?

Rich