[unisog] The old smurf attack and router filters

John Kristoff jtk at aharp.is-net.depaul.edu
Mon Dec 3 23:15:16 GMT 2001

On Mon, Dec 03, 2001 at 03:47:39PM -0600, DelVecchio, Anthony R. wrote:
> things I did was take a look at our router configs and added a NO IP
> DIRECTED BROADCASTS which I believe is standard on latest router configs. 

The net thanks you.  :-)

> The problem was that smurfs were still working.  I eventually discoverd that
> this was because the router was looking at the netwok address of our class B
> and not the subnets we had broken it into. So I added some access lists
> blocking .0's and 255's going both ways (to be good net neighbors) and all
> was well with the universe. I have not seen this attack in about 2 years.

Can you explain what you discovered?  Were packets coming in from the
net to your subnets and being amplified to all hosts?  The 'no ip directed-
broadcast' command should definitely stop them before they hit your LANs.

If you mean that attacks were leaving your net destined for some x.x.x.0
or x.x.x.255 address, then there is not much you can do.  Only the last
hop router knows whether that is a broadcast packet or not based on the
subnet mask.  You shouldn't be stopping packets with IP addresses ending
in .0 or .255 from leaving your net.  If thats how you're preventing your
net from being a source of the attacks, then you should block lots more
addresses too - like ones ending in .127, .63 .31 and so on.  How do you
know what the destination subnet broadcast address is?

> My boss is claiming that other Universities don't do this and I'm wondering
> how true it is and if I have to drop the filter what a good solution may be.

I'm not sure exactly what you're doing, but we definitely don't block
addresses based on the last octet's value.  Classless address makes doing
this a very bad idea and classless addressing isn't going away.  :-)


More information about the unisog mailing list