|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: SMURF amplifier block list
Uhmm, would the 255.255.255.255 wildcard not be 255.255.255.0? On Sat, 18 Apr 1998, Dean Anderson wrote: :Umm, I think this has already been hashed out. This is not the only netmask :on the planet, and you don't know what other networks netmasks are under :CIDR. Trying to guess the netmask just leads to breakage. : :All you want to do is stop packets coming in to your broadcast address. :For example, for your network x.y.z/n (n=24) with your broadcast address :of x.y.z.255: (I presume everyone can translate between CIDR notation and :dotted decimal ;-) : :deny ip any x.y.z.255 255.255.255.255 : :no ip directed broadcast basically puts in the same rule, but it does it :automatically by looking at the netmasks on the interfaces. : : --Dean : :>Why don't use the filter :> :> deny icmp any 0.0.0.255 255.255.255.0 echo-request :> :>on the incoming lines? It just block 99.999% of this smurf amplifiers; :>and I hardly think someone eve sence this restriction for the real PING :>tests. :> :>??? :> :> :> :>On Fri, 17 Apr 1998, Dean Anderson wrote: :> :>> Date: Fri, 17 Apr 1998 18:09:08 -0400 :>> From: Dean Anderson <[email protected]> :>> To: [email protected] :>> Cc: [email protected] :>> Subject: Re: SMURF amplifier block list :>> :>> > Does no ip directed broadcast really work? :>> :>> Yes. It works. :>> :>> And it works for whatever your particular netmask or broadcast address :>> happens to be, which is what's important. :>> :>> The only time you shouldn't do it globally is when some other network :>> really needs to see broadcasts. For example, If we manage a client's :>> network with HP OpenView over the internet, we need to be able to send them :>> directed broadcasts, so that OpenView host discovery will work. Patrol :>> works the same way, as do other products. In this case you can't use the :>> "no ip directed broadcast" switch, but you can still set up access rules :>> which do the same thing except for the permitted network. :>> :>> Bottom line is that you should protect your network from people who would :>> either abuse it via smurfing, or simply have no business looking for hosts :>> on your network. You have the tools to do it. :>> :>> --Dean :>> :>> :>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ :>> Plain Aviation, Inc [email protected] :>> LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com :>> We Make IT Fly! (617)242-3091 x246 :>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ :>> :>> :>> :> :>Aleksei Roudnev, Network Operations Center, Relcom, Moscow :>(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) :>239-10-10, N 13729 (pager) :>(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax) : : : :++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ : Plain Aviation, Inc [email protected] : LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com : We Make IT Fly! (617)242-3091 x246 :++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ : : -- Regards, Jason A. Lixfeld [email protected] iDirect Network Operations [email protected] --------------------------------------------------------------------- TUCOWS Interactive Ltd. o/a | "A Different Kind of Internet Company" Internet Direct Canada Inc. | "FREE BANDWIDTH for Toronto Area IAPs" 5415 Dundas Street West | http://www.torontointernetxchange.net Suite 301, Toronto Ontario | (416) 236-5806 (T) M9B-1B5 CANADA | (416) 236-5804 (F) ---------------------------------------------------------------------
|