On Tue, 21 Apr 1998, Mark Whitis wrote:
Really, you should filter the known broadcast addresses of your downstream networks with the cooperation of those networks.
Exactly! You can run your own tests for likely broadcast addresses and if you find an open broadcast address you should contact the downstream network and ask if they can block directed broadcasts and if they can't then you should get their permission to filter traffic to the open broadcast address and regardless of their permission you should contact the vendor of their equipment to inquire why the equipment is broken and unsuitable for use on the Internet. And it would be nice to forward any vendor info to Craig Huegen chuegen@quadrunner.com so he can update his SMURF document and submit it for publication as an informational RFC with all the vendor info in place.
What I was objecting to was the idea that some ISP would get the idea that it was a good idea to filter all .255 destined traffic passing through their network
Yuk!
Actually, even if they don't know the subnet structure before hand, they will discover this, as far as is relevent to smurfing, when they perform a smurf scan on their own CIDR blocks. Any address that results in multiple smurf type echo replies from different addresses would be considered a broadcast address; any that didn't, wouldn't.
Exactly! And by cleaning up your downstream vulnerabilities you reduce the chances that your entire address space will be blocked by other network operators. -- Michael Dillon - Internet & ISP Consulting http://www.memra.com - E-mail: michael@memra.com