North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: smurf's attack...
> > Likewise, not all broadcast adresses necessarily end with .255, > > so filtering .255 won't help anyway in the presence of something > > like a /25 with a X.X.X.127 broadcast. > > Agreed but it is not easy for a hacker to determine CIDR masks. It > is my impression that the only thing being sent is classfull broadcasts. That's unfortunatly not true. My hope is that this will change - I just sent CERT an advisory about this, and they're contacting several vendors whose equipment is misconfigured - but a very large number of systems out there will very cheerfully let you know their broadcast mask in violation of the Host Requirements RFC. It would take a bit more work to code a "smurf" program to first determine the broadcast mask, but since the smurf program uses hardcoded target addresses, all it would take is for someone to probe a few networks adequately, build them in to the next release of the smurf program, and start using it. I agree with the point of the discussion, however - many, many networks are broken in to /24s for various reasons, but blocking packets _outbound_ to what you presume are broadcast addresses is a bad thing. (Btw: If you feel the desire to _not_ let your netmasks hang out in the open, you can use an access list like: access-list blah deny icmp any any mask-request Most sites should have NO need to allow mask requests or replies in and out of their internal network). -Dave Andersen
|