Oops, I simply assumed that most of people here own a C or B with a subnet mask 24 bit. So the filter should really take the way you do subnetting into account. Regards, Dennis
-----Original Message----- From: Chris Wedgwood [mailto:chris.wedgwood(a)clear.co.nz] Sent: Tuesday, February 15, 2000 1:51 PM To: Dennis Su Cc: 'Roger De Salis'; nznog(a)list.waikato.ac.nz Subject: Re: Large Scale Internet Attacks - Technical article.
Alternatively, a packet filter on boundary router blocking any IP packet destined to *.0 or *.255 would do the trink but you still need "no ip directed-broadcast" to deal with the directed broadcast originating from your internal network.
That can and will break access to hosts that are on /n networks where n!=0 mod 8, for example, 10.0.100.0 and 10.0.0.255 are perfectly valid host addresses in 10.0.0.0/8.
-cw
P.S. Alas, ot make matters worse, for machines (for example Suns boxes) still repond to *.255 pings even when they are on a (say) /21 network and shouldn't...
-- Chris Wedgwood chris.wedgwood(a)clear.co.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog