North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: SMURF amplifier block list
- From: Stephen Sprunk
- Date: Tue Apr 14 17:50:38 1998
Aaron Beck wrote:
> Im kind of under the impression that we're (ok, just me, but anyone
> else is welcome to jump on this bandwagon) trying to point out that
> class based thinking.. or even "well, most of the net is this" thinking is
> probably a bad idea.
The fact is that a /24 is far more dangerous as a smurf amplifier than a
/30. Simple math tells you that there's 127 times as many possible
hosts hitting you.
> Kludges n' hacks may work most of the time, but
> kludges and hacks are just that.. kludgey and hackish. Hard coded
> defines, precompiled bins, etc have proven to be a less elegant method in
> other areas of the computing world... why should we repeat the same kind
> of mistake in the networking field?
Who suggested putting a x.x.x.255 filter into IOS itself? An
access-list in a config is hardly hard-coding.
> A smurf attack is just that, a smurf
> attack. Wouldnt the overall goal include removing the attack possibility
> in its entirety, not just a temporary solution that may solve some of the
> problems, but definetly not all of them?
If you have a suggestion for "removing the attack possibility in its
entirety," please tell us. So far, nobody's come up with one.
In the meantime, I'd rather solve 99% of the problem and deal with the
remaining 1% than sit around arguing about "class based thinking" and
"stereotypical ideologies" in between smurf attacks.
> Assuming that most of the net is based on /24s, and that smaller subnets
> are generally internal to those /24's may be a safe assumption, but once
> again its probably not the best way to think about this problem (not that
> I have any hints on what the best way should be, but im fairly certain
> that applying a stereotypical ideology to this is "not a good thing").
Look at the list of IP addresses used in any smurf attack, and they will
almost always be class C or class B broadcast addresses, usually the
address of a NAP or well-connected ISP. There's no sense targeting a
solution for a problem which doesn't exist. Solve the general case and
buy time for the more specialized ones.
> just my two bits and a lot of run on sentences.
Stephen Sprunk "Oops." Email: email@example.com
Sprint Paranet -Albert Einstein ICBM: 33.00151N 96.82326W