nanog mailing list archives
Re: identify hostname
From: Phil Howard <phil () whistler intur net>
Date: Wed, 2 Dec 1998 08:53:59 -0600 (CST)
Rusty Zickefoose wrote:
I've got to go with Pete K. on this one. In our current, cidr-ized world, it is simply not possible for an upstream provider to determine what is, or is not, a broadcast address in a downstream network. This is something that needs to be implemented from the edge in, not from the core out.
I'll second the agreement. I know my own subnetting strategy, and I also know what blocks I assign to my customers. Although few of my customers are sophisticated enough to subnet them on their own, even if we go do it for them (which is one of the services we offer) this is not something that we record in the database that will be used to build all our configurations. I do have an access list deny for incoming destinations to *.*.*.255 since I do know that the only customer we have with larger than a /24 from us (via cw.net) also happens to have nothing larger than /26 in their network. AFAIK, today, smurfers are only using *.*.*.255. They would have to track a lot more information to use others, so for now I can generally expect that deny to prevent us from being an amplifier. As more and more *.*.*.255's get blocked, smurfer kiddies may look for other broadcast addresses as well. It may come down to literally having to build an access list from my assignment database. Of course those smaller subnets will typically have fewer hosts to amplify from, but when servers are carefully concentrated in a subnet, there can still be a lot. I cannot expect C&W to block *.*.*.255 incoming for me. Even though in my case it would cause no problems, in the case of others, it can, and they have no reason (or database) to know which is which. But when the smurfers start using 127, 63, etc., that won't do any good, and I don't want them blocking those all the way down to /30's (let's just cut the IPv4 address space in half). I do block outgoing sources with addresses other than our network blocks. Thus we can't be the source of an amplified attack other than an attack on our own network, or only amplified here, which limits it to our pipe size, and makes tracking it (to here) very easy. Such blocking helps on forgeries, too. I would expect the backbones to do broadcast address blocking in their own subnet space where a lot of broadcast replyable servers exist (surely their Cisco routers aren't replying to broadcasts since that is easy to turn off). But these can be thought of as an "edge", anyway, and they do know the subnet mask there. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Current thread:
- Re: identify hostname Joe Shaw (Nov 30)
- <Possible follow-ups>
- Re: identify hostname Alex P. Rudnev (Dec 01)
- Re: identify hostname Pete Kruckenberg (Dec 01)
- Re: identify hostname Jon Zeeff (Dec 01)
- Re: identify hostname Roeland M.J. Meyer (Dec 03)
- Re: identify hostname Pete Kruckenberg (Dec 01)
- Re: identify hostname Dean Anderson (Dec 01)
- Re: identify hostname Pete Kruckenberg (Dec 01)
- Re: identify hostname Rusty Zickefoose (Dec 01)
- Re: identify hostname John Fraizer (Dec 01)
- Re: identify hostname Phil Howard (Dec 02)
- Re: identify hostname Pete Kruckenberg (Dec 02)
- Re: identify hostname Roeland M.J. Meyer (Dec 03)
- Re: identify hostname Jonathan Mischo (Dec 03)
- Message not available
- Re: identify hostname Roeland M.J. Meyer (Dec 03)
- Re: identify hostname Jonathan Mischo (Dec 03)
- Re: identify hostname Pete Kruckenberg (Dec 01)
- Re: identify hostname Craig A. Huegen (Dec 02)
- Re: identify hostname Brandon Ross (Dec 02)
- Re: identify hostname Phillip Vandry (Dec 02)
- Re: identify hostname Craig A. Huegen (Dec 02)