|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list
In message <[email protected]>, you wrote: > Not often. Few people are actually supernetting within a given broadcast > domain. There's still an awful lot of hardware that doesn't work right in > that environment. But subnets of class B's may be larger than /24 and have host numbers of .255 and .0 in them. That's true all over this campus. It may be reasonable to filter x.x.x.255 addresses from class C's or /24 blocks, but you cannot filter all addresses that end in .255 without filtering out a number of completely legitimate hosts. > The larger problem is that subnetted /24s still are wide open. This kind of > filter won't block anything from their broadcast addresses, since they're > not the .255 address. Indeed yes! There are also many subnets smaller than /24 where the broadcast address does not end in .255 that would still be open for smurfing even in the presence of this .255 filter. The x.x.x.255 filter is an extremely bad idea. /cvk
|