Re: Filtering ICMP (Was Re: SMURF amplifier block list)

[Brandon Ross <bross () mindspring net>]

On Fri, 24 Apr 1998, Richard Irving wrote:

> Ok. You know how I always ask the obvious... So, here I go again..
>
> This is only slightly off topic.. If you have no amplifiers
> greater than 2x-4x, is there really a need to turn off ip directed
> broadcasts? 

My feelings there are "why not?".  If you are running on a platform (such
as Cisco) that makes it easy to turn off directed broadcast you can only
help by turning it off.  In the attacks that have come our way, the
attackers have used almost every size of amplifier.  I also suspect that
as network managers become more clueful (a slow painful process) that the
attackers will eventually have to resort to less efficient means of
attack.

>   And if this is true, doesn't designing your network with minimized
> amplifier space sort of negate all this ?

In some applications that wouldn't be a hard thing to do, but for most
it's nearly impossible.

Brandon Ross            Network Engineering     404-815-0770 800-719-4664
Director, Network Engineering, MindSpring Ent., Inc.  info () mindspring com
Mosher's Law of Software Engineering:  Don't worry if it doesn't work
right.  If everything did, you'd be out of a job.