[unisog] The old smurf attack and router filters

John Kristoff jtk at aharp.is-net.depaul.edu
Tue Dec 4 03:15:04 GMT 2001


On Mon, Dec 03, 2001 at 04:48:47PM -0800, Peter Van Epp wrote:
> 	When last I checked (several years ago) the no directed broadcast (at
> least in Cisco and Cabletron routers) blocked 255 addresses but not the 0 
> (network) address. A specific (inbound only as has been pointed out) access 
> list was needed to stop 0 based smurfs. So if you are depending on only the 
> no directed broadcasts, I'd suggest trying a ping to a .0 address from outside
> your border and see how many responses you are getting (the smurfers used to 
> scan for .0 addresses as well as 255 too.)

If the router is converting the IP to a MAC broadcast, it should not
forward it, even if it is all 0's in the host portion of the IP address.
I just ran a quick test on some test Cisco gear and this appears to be
the case.  It may be an old problem, hopefully fixed long ago for most
router software.  I'd be interested to hear if anyone finds differently.
If so, please indicate the vendor and version of code.

John



More information about the unisog mailing list