On Wed, 15 Apr 1998, Pete Ashdown wrote:
We should be concerned about receiving pings floods from two single addresses? The the IP size of the network also figures into the nature of the attack. Smurfing is made easier by large subnets without directed-broadcast turned off. It is a lot more work to get the same results from networks smaller than a /27.
This is directed towards everyone who's been fortunate enough to take part in this discussion, not necessarily you Mr. Ashdown. If you've got an ISDN line or better, you can successfully ping flood a /30 broadcast address with larger than normal packets and take down a smaller link (ISDN or modem). It wouldn't be as effective as a /27, /24 or greater, but enough /27's and you'd have the same effect, though it'd me more resource intensive on the attackers end than just going after a /24 or greater broadcast address. Regardless, it doesn't matter what broadcast they ping, as they have varying degrees of effectiveness. What really matters is if we've put the same amount of effort into fixing our networks as we have arguing about who's responsibility it is to fix it and what the best course of action is. If you've got filters on your network to keep you from being a smurf amplifier, then great. If you've got filters on your router to keep your customers from starting smurf attacks, then great. But if you've only got one and not the other, then you're just doing a half assed job. I agree that IP directed broadcasts should be turned off on everyone's routers, and those that ignore the problem or refuse to fix it should be made to deal with it for the greater good of the Internet at large. But if my customers can smurf out, I'm just as guilty as the people who don't fix IP directed broadcasts. As stated earlier, spoofed traffic is the #1 cause of most denial of service attacks released in the last 6-12 months. It doesn't make any sense why most people who consider themselves responsible admins would rather bicker over responsibility than fix their networks and be done with it. If everyone but the few networks that allow directed broadcasts fixed spoofing packets from their customers leaving through their network, it would seem that smurf/fraggle/teardrop/land/etc. would have all been only mildly effective, and must easier to trace back. My $0.02 Regards, Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services Fortune: 43rd Law of Computing: Anything that can go wr fortune: Segmentation violation -- Core dumped