ICANN Targets DDoS Attacks

On Tue, 29 Oct 2002 16:00:06 -0500, Valdis.Kletnieks@vt.edu wrote,

(OK.. *technically*, Christ is correct.. you can't tell.. but still)

On the classless Internet, how does any router know what is or is not
a broadcast address when the final destination is not local?

Bitch bitch whine whine.

Why is it that the people who *RUN* the network have so much difficulty
identifying such things, when a bunch of script kiddies(*) can put up a
web site with a nice list, sorted by number of generated packets per
ping packet? If all other creativity fails, visit the website, see if
any of the addresses fall into your customer's space, and call them if
you find any.

Let's face it - this wouldn't be an issue if it wasn't well within the
ability of the average 15-year-old pimply-faced script kiddie to figure

OK. Sorry. It's been waaay too long a day, I'm done venting now. :wink:

On a more practical note, you don't really care *that* much about an ICMP Echo
Request coming out of one of your customers (at least as long as the address is
in their space, but that's just ingress/egress filtering :wink: heading to some
address at an ISP in some Third World country. And as noted, there isn't much
you can do about it. What you *do* care about is a packet coming in and headed
to one of your customer's broadcast addresses. You care because if they're a
smurf amp, you're about to get hit by a packet flurry, and because you're close
enough to be able to *do* something about it. And let's face it - if you've
sold them a /24(**), then the .255 address is quite likely a broadcast packet (even
if they have subnetted the /24 - think about it). The only other option is if
they've use a /31 to number a router link at the very top of their space - and
in that case, re-read RFC3021, section 2.2.1 :wink:

OK.. Now where did I leave my asbestos underwear? :wink:

I didn't mean it to take that tone. I didn't understand what you were
trying to propose. I assumed that either (a) I was missing something
obvious or (b) there was an implicit assumption somewhere in your
statement that I didn't pick up. It looks like you were talking about
filtering IP directed broadcasts on routers destined to _your own_
customers. I hadn't picked up on that. I thought you were just going
to be dropping broadcasts crossing your network. (period)

The first, dropping broadcasts destined to your customers, is possibly
doable, but not trivial. The second, catching all broadcasts coming
in, out, or just passing through, is pretty much impossible.

I am considering using Aleron (http://www.aleron.com/network) as an
internet service provider and wondering if anyone has an opinion on
their network, service or it's support.

You can contact me off-list if you like.

David A. Lauer
Network Engineer
Tristar Communications