Bernd Eckenfels wrote: > On Fri, Jan 21, 2005 at 11:38:02PM +0100, Ansgar -59cobalt- Wiechers wrote: >> You're right. Spoofed traffic may be dropped all the way, but with >> broadcasts I would prefer to reject the packets. > > If it is a amplifier attack, then sending back packets will hit the victim > (less hard). I guess its safe to asume hostile intent in ingres broadcasts, > at east when it is "obvious" broadcast to class-borders like /24. > > Greetings > Bernd > >
My point is: how do you send packets back to the sender if the packet came in on a connected interface that does not host the network that it says? As a simplistic example, if a packet comes from the external internet and says it's coming from an ip on my internal net, how will my server route the return packet? It won't. My server's ip stack will try to send the return packet out my internal interface and will never get there. Where ever *there* is. This includes broadcast, multicast, everything. Drop it. Stop trying. Bit bucket. In addition, I'm not talking about special circumstances like an ISP routing traffic from AS to AS where strange traffic must be forwarded. I'm talking about stub networks. This is debian-firewall, not nanog. For a stub net, I'm dropping all broadcast traffic. I shouldn't get it from my isp's router that connects me to the net, and I shouldn't get it from anyone else (legitimately) either. Name me some broadcast traffic that a stub net receives that is anything more than noise from netbios, or dhcp or similar. -- +========================== + Phil Dyer + email: [EMAIL PROTECTED] +========================== -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
