Re: Solution: Re: Huge smurf attack

["Jay R. Ashworth" <jra () scfn thpl lib fl us>]

On Mon, Jan 11, 1999 at 10:30:41PM -0500, Daniel Senie wrote:
> > OTOH, what about just declaring that X.X.X.{0,255} is off limits
> > regardless of the network size?  It would take just 2 access list
> > entries to make those addresses in networks larger than /24 to be
> > mostly useless.  There aren't that many LANs out there that would
> > have real non-broadcast use on these addresses, anyway.  I block
> > these coming in to my network as destinations, and I'm tempted to
> > block them as sources, as well.  Once these addresses are indeed
> > off limits, then the next step is to get backbones to put in the
> > access lists.
>
> No. This is not a good plan. There are indeed networks out there with
> supernetted LANs. I consult for a large research institution which uses
> /22 masks for all subnets, and heavily uses them. The chances of
> clobbering perfectly legitimate addresses is real. Beyond this, there
> are plenty of /25 networks that'll do a perfectly good job of playing
> smurf-amplifier. The solution isn't to apply access lists.

Since Phil's on my side of this argument, I'll jump back in.

What percentage of the hosts on the internet occupy an address with a
non-broadcast .0 or .255 last octet?

What percentage of smurfs would be stopped bu outbound filters on those
octets?

Which is a bigger win?

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff     Buy copies of The New Hackers Dictionary.
The Suncoast Freenet            Give them to all your friends.
Tampa Bay, Florida     http://www.ccil.org/jargon/             +1 813 790 7592