On Mon, 21 Jan 2002, Stephen Griffin wrote:
Is this type of filtering common? What alternate solutions are available to mitigate (I'm assuming) concerns about smurf amplifiers, that still allow traffic to/from legitimate addresses. What rationale is used to filter all traffic to network/broadcast addresses of /24 networks while ignoring network/broadcast of /25-/30? For that matter, what percentage of smurf amplifiers land on /24 boundaries?
As of last Monday / Tuesday, approximately 45% of all smurf amplifiers in the RIPE region had addresses ending in .0 or .255 [1]. I'm unsure about ARIN / APNIC IP space. I would certainly hope the kind of filtering you mention is uncommon :) If you filter on your ingress, packets who destination address ends in .0 or .255, and you are a smurf amplifier, you're only stalling the inevitable. The best course of action is to fix the smurf amplifier itself :) Check http://www.ircnetops.org/smurf/faq.php if you need to do this. Regards, [1] = Data provided by SAFE (http://www.ircnetops.org/smurf) -- Avleen Vig Network Security Officer Smurf Amplifier Finding Executive: http://www.ircnetops.org/smurf