On Mon, 25 Nov 2002, Stephen J. Wilcox wrote:
Glad to know its not just me..
DDoS is a problem for everyone, but only a few people seem to be trying to do anything about it.
FYI x.x.0.0 is a valid host address as is x.x.x.0 and it would be technically incorrect to block it assuming it to be a network address and therefore bogon.
Agreed, but did a we quick risk analysis and we thought blocking the DDoS was the lesser of the two evils. Again, if anyone is actually using x.x.0.0 addresses for hosts it would be useful to know.
However this may be a way to do it if we see another attack, altho I would strongly recommend against filtering x.x.x.0 I would doubt that there are any valid x.x.0.0 host on the internet so could filter on that..
That's what I expected, but wanted to see what effect it would have on legitimate traffic first. Again, it would be useful to know if anyone is dropping hosts on to x.x.x.0 as well. I know that these are both legitimate IP addresses, but if they are only being used for DDoS then surely we should look at locking them down (in the same way as broadcast packets have been)? Rich