North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list
Aaron Beck wrote: > > Im kind of under the impression that we're (ok, just me, but anyone > else is welcome to jump on this bandwagon) trying to point out that > class based thinking.. or even "well, most of the net is this" thinking is > probably a bad idea. The fact is that a /24 is far more dangerous as a smurf amplifier than a /30. Simple math tells you that there's 127 times as many possible hosts hitting you. > Kludges n' hacks may work most of the time, but > kludges and hacks are just that.. kludgey and hackish. Hard coded > defines, precompiled bins, etc have proven to be a less elegant method in > other areas of the computing world... why should we repeat the same kind > of mistake in the networking field? Who suggested putting a x.x.x.255 filter into IOS itself? An access-list in a config is hardly hard-coding. > A smurf attack is just that, a smurf > attack. Wouldnt the overall goal include removing the attack possibility > in its entirety, not just a temporary solution that may solve some of the > problems, but definetly not all of them? If you have a suggestion for "removing the attack possibility in its entirety," please tell us. So far, nobody's come up with one. In the meantime, I'd rather solve 99% of the problem and deal with the remaining 1% than sit around arguing about "class based thinking" and "stereotypical ideologies" in between smurf attacks. > Assuming that most of the net is based on /24s, and that smaller subnets > are generally internal to those /24's may be a safe assumption, but once > again its probably not the best way to think about this problem (not that > I have any hints on what the best way should be, but im fairly certain > that applying a stereotypical ideology to this is "not a good thing"). Look at the list of IP addresses used in any smurf attack, and they will almost always be class C or class B broadcast addresses, usually the address of a NAP or well-connected ISP. There's no sense targeting a solution for a problem which doesn't exist. Solve the general case and buy time for the more specialized ones. > just my two bits and a lot of run on sentences. Stephen -- Stephen Sprunk "Oops." Email: [email protected] Sprint Paranet -Albert Einstein ICBM: 33.00151N 96.82326W
|