traffic filtering

Hello,

I'm curious about how many networks completely filter all traffic to
any ip address ending in either ".0" or ".255".

I'm curious because any network /0-/23,/31,/32 can legitimately have
ip addresses in-use which end as such. /32's can obviously have (most) any ip
address, since there is no notion of a network or broadcast address. /31
doesn't have a directed broadcast. For /0-/23 only the first ".0" and the
last ".255" correspond to reserved addresses. All of the intervening
addresses are legal.

Is this type of filtering common? What alternate solutions are available
to mitigate (I'm assuming) concerns about smurf amplifiers, that still
allow traffic to/from legitimate addresses. What rationale is used to
filter all traffic to network/broadcast addresses of /24 networks while
ignoring network/broadcast of /25-/30? For that matter, what percentage
of smurf amplifiers land on /24 boundaries?

Thanks,
Stephen

they will have problems reaching people who are now using /31s
on links that cover the last /31 and first /31 of the /24 that they reside
in.

  - Jared

Stephen Griffin wrote:

I'm curious about how many networks completely filter all traffic to
any ip address ending in either ".0" or ".255".

I've only heard of one other institution doing this.

I'm curious because any network /0-/23,/31,/32 can legitimately have
ip addresses in-use which end as such. /32's can obviously have (most) any ip
address, since there is no notion of a network or broadcast address. /31
doesn't have a directed broadcast. For /0-/23 only the first ".0" and the
last ".255" correspond to reserved addresses. All of the intervening
addresses are legal.

Right. That is exactly why this is generally at least a silly, if not
bad idea.

Is this type of filtering common? What alternate solutions are available

I don't think it is very common. I'd be curious to hear otherwise.

to mitigate (I'm assuming) concerns about smurf amplifiers, that still
allow traffic to/from legitimate addresses. What rationale is used to

Devices that forward (routers) should provide mechanisms to disable the
forwarding of directed broadcasts. See the following RFC:

http://www.rfc-editor.org/rfc/rfc2644.txt

filter all traffic to network/broadcast addresses of /24 networks while
ignoring network/broadcast of /25-/30? For that matter, what percentage
of smurf amplifiers land on /24 boundaries?

Rationale? Perhaps sites that only use /24 in their route tables have
that rationale? Otherwise its probably due to a misunderstanding of IP
addressing.

John

As of last Monday / Tuesday, approximately 45% of all smurf amplifiers in
the RIPE region had addresses ending in .0 or .255 [1].
I'm unsure about ARIN / APNIC IP space.

I would certainly hope the kind of filtering you mention is uncommon :slight_smile:
If you filter on your ingress, packets who destination address ends in .0
or .255, and you are a smurf amplifier, you're only stalling the
inevitable.
The best course of action is to fix the smurf amplifier itself :slight_smile:
Check http://www.ircnetops.org/smurf/faq.php if you need to do this.

Regards,

[1] = Data provided by SAFE (http://www.ircnetops.org/smurf)

I heard recently that Windows 2000 will refuse to send packets
to addresses with the least-significant octet 255, if the most-
significant octet indicates the address lies in a pre-CIDR class
C. So, for example, 192.168.0.255 would be unreachable from a
windows 2000 machine, regardless of the fact that it might be
a legitimate host numbered within 192.168.0.0/23.

This seems like a strange design decision for windows 2000, if
it's real. But, if it *is* true, the answer to your question "is
this kind of filtering common" might be a strong "yes", at least
in the Microsoft-populated extreme network edge.

Joe

Date: Tue, 22 Jan 2002 12:34:57 -0500
From: Joe Abley <jabley@automagic.org>

This seems like a strange design decision for windows 2000, if

Strange? Stupid is more like it.

it's real. But, if it *is* true, the answer to your question "is
this kind of filtering common" might be a strong "yes", at least
in the Microsoft-populated extreme network edge.

Wouldn't surprise me. IIRC, Win95 (NT? 98?) would send bcast
messages to the classful broadcast address, regardless of subnet
mask.

Anyone have a Win2000 machine handy to confirm or deny?

Eddy

Not true. M$ is guilty of many evil things, but not this one.

Never mind. Brain several iterations behind keyboard. It was
kindly pointed out to me offlist. I will now return to lurking
where I belong.

thx,

> > I'm curious about how many networks completely filter all traffic to
> > any ip address ending in either ".0" or ".255".
>
> I heard recently that Windows 2000 will refuse to send packets
> to addresses with the least-significant octet 255, if the most-
> significant octet indicates the address lies in a pre-CIDR class
> C. So, for example, 192.168.0.255 would be unreachable from a
> windows 2000 machine, regardless of the fact that it might be
> a legitimate host numbered within 192.168.0.0/23.

Not true. M$ is guilty of many evil things, but not this one.

I just tried this. This is not exhaustive. I may well have made
some kind of some screw-up. Interpret as you will. Contents may
have settled in transit.

  NetBSD 1.5.2 i386 FreeBSD 4.5-PRERELEASE

How about "when doing networking avoid Windows" instead? ;^)

Being at a site which not only uses .0 & .255 addresses in our network but
also has a "255" in two of our our base net numbers (128.255.0.0/16 &
129.255.0.0/16), I appeal to sanity & common sense in requesting that folks
not blindly filter on octets of 0 or 255 when they don't (& can't) know the
corresponding net masking.

> I guess the rule of thumb when numbering devices which need to
> coexist with Windows is "avoid 255".

How about "when doing networking avoid Windows" instead? ;^)

Being at a site which not only uses .0 & .255 addresses in our network but
also has a "255" in two of our our base net numbers (128.255.0.0/16 &
129.255.0.0/16), I appeal to sanity & common sense in requesting that folks

you appeal to 'sanity & common sense'.. good luck in your crusade!

hehe