Re: Filtering ICMP (Was Re: SMURF amplifier block list)

[Michael Dillon <michael () memra com>]

On Tue, 21 Apr 1998, Mark Whitis wrote:

> Really, you should filter the known broadcast addresses of
> your downstream networks with the cooperation of those networks.

Exactly! You can run your own tests for likely broadcast addresses and if
you find an open broadcast address you should contact the downstream
network and ask if they can block directed broadcasts and if they can't
then you should get their permission to filter traffic to the open
broadcast address and regardless of their permission you should contact
the vendor of their equipment to inquire why the equipment is broken and
unsuitable for use on the Internet. And it would be nice to forward any
vendor info to Craig Huegen chuegen () quadrunner com so he can update his
SMURF document and submit it for publication as an informational RFC with
all the vendor info in place.

> What I was objecting to was the idea that some ISP would get
> the idea that it was a good idea to filter all .255 destined traffic
> passing through their network

Yuk!

> Actually, even if they don't know the subnet structure before hand, they
> will discover this, as far as is relevent to smurfing, when they perform
> a smurf scan on their own CIDR blocks.  Any address that results in
> multiple smurf type echo replies from different addresses would be
> considered a broadcast address; any that didn't, wouldn't.

Exactly! And by cleaning up your downstream vulnerabilities you reduce the
chances that your entire address space will be blocked by other network
operators.

--
Michael Dillon                   -               Internet & ISP Consulting
http://www.memra.com             -               E-mail: michael () memra com