Re: Path MTU (was: RE:)
Bernd Eckenfels wrote:
> On Fri, Jan 21, 2005 at 11:38:02PM +0100, Ansgar -59cobalt- Wiechers wrote:
>> You're right. Spoofed traffic may be dropped all the way, but with
>> broadcasts I would prefer to reject the packets.
>
> If it is a amplifier attack, then sending back packets will hit the victim
> (less hard). I guess its safe to asume hostile intent in ingres broadcasts,
> at east when it is "obvious" broadcast to class-borders like /24.
>
> Greetings
> Bernd
>
>
My point is: how do you send packets back to the sender if the packet
came in on a connected interface that does not host the network that it
says? As a simplistic example, if a packet comes from the external
internet and says it's coming from an ip on my internal net, how will my
server route the return packet? It won't. My server's ip stack will try
to send the return packet out my internal interface and will never get
there. Where ever *there* is. This includes broadcast, multicast,
everything. Drop it. Stop trying. Bit bucket.
In addition, I'm not talking about special circumstances like an ISP
routing traffic from AS to AS where strange traffic must be forwarded.
I'm talking about stub networks. This is debian-firewall, not nanog. For
a stub net, I'm dropping all broadcast traffic. I shouldn't get it from
my isp's router that connects me to the net, and I shouldn't get it from
anyone else (legitimately) either.
Name me some broadcast traffic that a stub net receives that is anything
more than noise from netbios, or dhcp or similar.
--
+==========================
+ Phil Dyer
+ email: phil.dyer@cox.net
+==========================
Reply to: