Brandon Ross said once upon a time:
Are we really concerned about being smurfed by a /30, or even a /27?
You should be. If I didn't have directed broadcasts turned off on my
network, it would be a very effective smurf amplifier. Because ARIN keeps
us on a very short leash, we use the smallest subnet we can get away with
for our POPs. Some such sites are very well connected.
We should be concerned about receiving pings floods from two single
addresses? The the IP size of the network also figures into the nature of
the attack. Smurfing is made easier by large subnets without
directed-broadcast turned off. It is a lot more work to get the same
results from networks smaller than a /27.
Sorry, I should have been more clear. I took that earlier statement to
mean that we shouldn't be concerned about amplification networks smaller
than /24. I felt that was implied by the discussion about filtering
addresses ending in .255. The point I was trying to make is that I have
many networks with masks longer than /24 (the majority of which are
shorter than /27) that would make very effective smurf amplifiers if I
didn't have directed broadcasts turned off. In my experience I've found
that many networks use /24's, not because they necessarily need 254 hosts
on that network, but because it's convienent since the network/host number
falls on an octet boundry. Most of these networks I've seen have
significantly less than 254 hosts on them. My networks with longer masks
are much denser than what I've seen is the average /24, and therefore
possibly more dangerous as amplifiers.
Brandon Ross Network Engineering 404-815-0770 800-719-4664
Chief Network Engineer MindSpring Enterprises, Inc info@mindspring.com
Mosher's Law of Software Engineering: Don't worry if it doesn't work
right. If everything did, you'd be out of a job.
This is directed towards everyone who's been fortunate enough to take
part in this discussion, not necessarily you Mr. Ashdown.
If you've got an ISDN line or better, you can successfully ping flood a
/30 broadcast address with larger than normal packets and take down a
smaller link (ISDN or modem). It wouldn't be as effective as a /27, /24
or greater, but enough /27's and you'd have the same effect, though it'd
me more resource intensive on the attackers end than just going after a
/24 or greater broadcast address.
Regardless, it doesn't matter what broadcast they ping, as they have
varying degrees of effectiveness. What really matters is if we've put
the same amount of effort into fixing our networks as we have arguing
about who's responsibility it is to fix it and what the best course of
action is. If you've got filters on your network to keep you from being a
smurf amplifier, then great. If you've got filters on your router to keep
your customers from starting smurf attacks, then great. But if you've only
got one and not the other, then you're just doing a half assed job. I
agree that IP directed broadcasts should be turned off on everyone's
routers, and those that ignore the problem or refuse to fix it should be
made to deal with it for the greater good of the Internet at large. But
if my customers can smurf out, I'm just as guilty as the people who don't
fix IP directed broadcasts.
As stated earlier, spoofed traffic is the #1 cause of most denial of
service attacks released in the last 6-12 months. It doesn't make any
sense why most people who consider themselves responsible admins would
rather bicker over responsibility than fix their networks and be done with
it. If everyone but the few networks that allow directed broadcasts fixed
spoofing packets from their customers leaving through their network, it
would seem that smurf/fraggle/teardrop/land/etc. would have all been only
mildly effective, and must easier to trace back.
My $0.02
Regards,
Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
Fortune: 43rd Law of Computing: Anything that can go wr
fortune: Segmentation violation -- Core dumped