North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Solution: Re: Huge smurf attack

  • From: Jay R. Ashworth
  • Date: Wed Jan 13 21:23:23 1999

On Mon, Jan 11, 1999 at 10:30:41PM -0500, Daniel Senie wrote:
> > OTOH, what about just declaring that X.X.X.{0,255} is off limits
> > regardless of the network size?  It would take just 2 access list
> > entries to make those addresses in networks larger than /24 to be
> > mostly useless.  There aren't that many LANs out there that would
> > have real non-broadcast use on these addresses, anyway.  I block
> > these coming in to my network as destinations, and I'm tempted to
> > block them as sources, as well.  Once these addresses are indeed
> > off limits, then the next step is to get backbones to put in the
> > access lists.
> No. This is not a good plan. There are indeed networks out there with
> supernetted LANs. I consult for a large research institution which uses
> /22 masks for all subnets, and heavily uses them. The chances of
> clobbering perfectly legitimate addresses is real. Beyond this, there
> are plenty of /25 networks that'll do a perfectly good job of playing
> smurf-amplifier. The solution isn't to apply access lists.

Since Phil's on my side of this argument, I'll jump back in.

What percentage of the hosts on the internet occupy an address with a
non-broadcast .0 or .255 last octet?

What percentage of smurfs would be stopped bu outbound filters on those

Which is a bigger win?

-- jra
Jay R. Ashworth                                                [email protected]
Member of the Technical Staff     Buy copies of The New Hackers Dictionary.
The Suncoast Freenet            Give them to all your friends.
Tampa Bay, Florida             +1 813 790 7592