North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMURF amplifier block list

  • From: Brett Frankenberger
  • Date: Tue Apr 14 22:24:20 1998

:: Jay R. Ashworth writes ::
> No, IMHO, the comment stands: no matter _what_ size your network is, if
> you assign host addresses with a .0 or .255 final octet, things may
> break, and you deserve what you get.

.255 and .0 are prefectly valid on /23 and shorter-prefixed subnets. 
But many people have made that argument, so I'll get to a much more
important point:

There's no benefit at all to filtering .255 if your network is properly

(1) Let's suppose I block packets coming in to my network that have a
source address of X.X.X.255.  This does nothing for me.  Specifically,
it doesn't prevent amplified ECHO REPLYs from coming in.  Why?  Because
those packets don't have the source address of the broadcast address
that was used to get the amplification effect.  They have the unicast
source address of the individual machines that answeres the ECHO
REQUESTS.  That is, let's suppose your Web Server is 
Let's suppose that 100.100.100/24 is a viable amplification subnet.  If
I send ECHO REQUESTS with Source=,
Destination=, you will see lots of ECHO REPLYs coming at
your Web Server.  None will have Source Address 
Instead, they will have Source Address 100.100.100.X, with 1<=X<=254.

(2) Let's suppose I block packets leaving my network with a destination
address of X.X.X.255.  This would tend to prevent users on my network
from initiating smurf attacks (in the above example, they would be
unable to send packets to the amplifier).  But this is
an incredibly suboptimal way of preventing my users from launching
smurf attacks.  What I actually implement is filters that prevent
packets from leaving my network with a source address that isn't in my
address space.  This makes it impossible for my users to smurf anyone
but me (because, using the above example again, they can't get the
packets with Source Address out of my network).

In other words, blocking Source Address=X.X.X.255 inbound does
absolutely nothing to prevent your network from being smurfed, and as
long as you properly configure to prevent source-address forgery,
blocking Destination Address=X.X.X.255 from leaving your network is

(Of course, blocking Destination Address=X.X.X.255 from coming in is
strictly a personal decision.  If you know all your networks are at
least as big as a /24, and you know that you don't use X.X.X.255 and
X.X.X.0, then blocking inbound packets to X.X.X.255 is a perfectly
valid way to configure your router to prevent yourself from being used
as an amplifier.  But that doesn't require that *other people* refrain
from using X.X.X.{0|255}, only that you do.)

          - Brett  ([email protected])
                               ... Coming soon to a      | Brett Frankenberger
.sig near you ... a Humorous Quote ...                   | [email protected]