-----Original Message----- From: Paul Ferguson <ferguson@cisco.com> To: Eric Osborne <osborne@notcom.com> Cc: Dave Van Allen <dave@fast.net>; eric@ccti.net <eric@ccti.net>; nanog@merit.edu <nanog@merit.edu> Date: Thursday, January 22, 1998 11:00 AM Subject: Re: Reporting Little Blue Men

At 10:55 PM 1/21/98 -0500, Eric Osborne wrote:

...

How do you prevent packets from your network with a broadcast address, since what defines a "broadcast" address really depends on the subnet mask?

"no ip directed-broadcast"

- paul

That directive on the router will only protect the network of the router interface it is put on. For example, if I have: ! hostname Router1 ! interface Ethernet0 ip address X.Y.Z.1 255.255.255.0 no ip directed-broadcast ! "ONLY" X.Y.Z.0 will be protected from someone trying to use "ping X.Y.Z.255" as a bounce site. No other networks beyond the one I have defined with my subnet mask will be protected. The reason I know this is because I was hoping this directive would be an easy fix...but when I checked it out, the hole in my logic became apparent. If anyone has experienced different, I would be interested in hearing the IOS used and the setup of the router. The "no ip directed-broadcast" directive, if applied to all router interfaces, will prevent your site from being a bounce site in the smurf attack. Unfortunately, it will not prevent you from being the end victim. The only way I can think of to stop your site from being a victim is to do one of two things: 1) block all ICMP (type 8, in particular) or 2) Have some type of firewall device that keeps track of all ICMP requests coming from your site with the intent to block any ICMP responses that do not match a request. Option 1 is not possible for most, and I currently don't know of a proxy/firewall/etc... that will track ICMP in this way. If anyone does, please let me know! Sam Birch