If you are going to filter, you can just filter ICMP for now, thats the major protocol used in the attack, that way you are only slightly affecting those who might have a .255 address on one of their machines. so access-list xxx deny icmp any 0.0.0.255 255.255.255.0 and access-list xxx deny icmp any 0.0.0.0 255.255.255.0 are pretty safe ones. Oh yes, if you didn't notice already they are using the .0 network address, and from what i've seen the amount of attacks launched using .0 as compared to .255 have been steadily rising. And while turning off ip directed broadcast will mostly take care of this issue, it's only a complete solution if your customers also do it, so filtering is still a good idea IMHO. On Fri, 5 Sep 1997, Phil Howard wrote:
Randy Bush writes...
access-list XXX deny ip any 0.0.0.255 255.255.255.0
You must be kidding. Why not
access-list XXX deny ip any 0.0.0.42 255.255.255.0
I like...
access-list XXX deny ip any 0.0.0.1 255.255.255.254
...better.
-- Phil Howard KA9WGN +-------------------------------------------------------+ Linux Consultant | Linux installation, configuration, administration, | Milepost Services | monitoring, maintenance, and diagnostic services. | phil at milepost.com +-------------------------------------------------------+