North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Smurfing
This actually came up a few weeks ago - there's no way to filter outbound ICMP for "broadcast addresses", because what defines a broadcast address depends on the subnetting at the receiving end. For example, 10.1.1.119 may be a host on 10.1.1.0/24, or a broadcast on 10.1.1.112/29. "no ip directed-broadcast" drops all IP destined for the broadcast address _on an interface_, AFAIK. eric > > Don't these answers answer a different question? Isn't the question how to > filter *outbound* attacks, not inbound ones? Filtering the inbound ones is > pretty easy on a Bay or anything with filters (drop packets bound for the > broadcast addresses). Filtering outbound is another story, especially with > CIDR. I would like to set up my routers to make sure I'm protecting as much > of the 'net as possible from attempts by my customers to do evil. However, > it's not clear to me how to do that. Does "no ip directed-broadcast" somehow > filter the *outbound* attacks or just the inbound ones? > -- > Steve Hultquist, Chief Technology Officer HSAnet > providing high-speed Internet access Boulder, Colorado > mailto:[email protected] +1.303.581.0800 http://www.HSAnet.net/ > >
|