On Tue, 29 Oct 2002 16:00:06 -0500, Valdis.Kletnieks@vt.edu wrote,
On Tue, 29 Oct 2002 12:48:39 PST, Jeff Shultz said:
Smurf.
Okay. What will this do to my user's ping and traceroute times, if anything? I've got users who tend to panic if their latency hits 250ms between here and the moon (slight exaggeration, but only slight).
I just love it when I've got people blaming me because the 20th hop on a traceroute starts returning * * * instead of times.
So you rate limit it to several/second or something appropriate for the normal traffic levels. You don't allow ping/traceroute to broadcast addresses.
On the classless Internet, how does any router know what is or is not a broadcast address when the final destination is not local? -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
On Wed, 30 Oct 2002 13:35:38 PST, "Crist J. Clark" said: (OK.. *technically*, Christ is correct.. you can't tell.. but still)
On the classless Internet, how does any router know what is or is not a broadcast address when the final destination is not local?
Bitch bitch whine whine. Why is it that the people who *RUN* the network have so much difficulty identifying such things, when a bunch of script kiddies(*) can put up a web site with a nice list, sorted by number of generated packets per ping packet? If all other creativity fails, visit the website, see if any of the addresses fall into your customer's space, and call them if you find any. Let's face it - this wouldn't be an issue if it wasn't well within the ability of the average 15-year-old pimply-faced script kiddie to figure out. OK. Sorry. It's been waaay too long a day, I'm done venting now. ;) On a more practical note, you don't really care *that* much about an ICMP Echo Request coming out of one of your customers (at least as long as the address is in their space, but that's just ingress/egress filtering ;) heading to some address at an ISP in some Third World country. And as noted, there isn't much you can do about it. What you *do* care about is a packet coming in and headed to one of your customer's broadcast addresses. You care because if they're a smurf amp, you're about to get hit by a packet flurry, and because you're close enough to be able to *do* something about it. And let's face it - if you've sold them a /24(**), then the .255 address is quite likely a broadcast packet (even if they have subnetted the /24 - think about it). The only other option is if they've use a /31 to number a router link at the very top of their space - and in that case, re-read RFC3021, section 2.2.1 ;) OK.. Now where did I leave my asbestos underwear? ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech (*) And yes, I know that the *famous* list isn't done by script kiddies, but it's not the only one. ;) (**) And don't whine about if you sold them something other than a /24 - there's enough /24's to make it worthwhile....
On Wed, Oct 30, 2002 at 10:13:11PM -0500, Valdis.Kletnieks@vt.edu wrote:
On Wed, 30 Oct 2002 13:35:38 PST, "Crist J. Clark" said:
(OK.. *technically*, Christ is correct.. you can't tell.. but still)
On the classless Internet, how does any router know what is or is not a broadcast address when the final destination is not local?
Bitch bitch whine whine.
I didn't mean it to take that tone. I didn't understand what you were trying to propose. I assumed that either (a) I was missing something obvious or (b) there was an implicit assumption somewhere in your statement that I didn't pick up. It looks like you were talking about filtering IP directed broadcasts on routers destined to _your own_ customers. I hadn't picked up on that. I thought you were just going to be dropping broadcasts crossing your network. (period) The first, dropping broadcasts destined to your customers, is possibly doable, but not trivial. The second, catching all broadcasts coming in, out, or just passing through, is pretty much impossible. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
I am considering using Aleron (http://www.aleron.com/network) as an internet service provider and wondering if anyone has an opinion on their network, service or it's support. You can contact me off-list if you like. David A. Lauer Network Engineer Tristar Communications dalauer@tristarcorp.net
participants (3)
-
Crist J. Clark
-
Derek Samford
-
Valdis.Kletnieks@vt.edu