--pgp-sign-Multipart_Sun_Jan_23_02:00:43_2005-1
Content-Type: text/plain; charset=US-ASCII

>>>>> "smb" == Steven M Bellovin <smb@cs.columbia.edu> writes:

   smb> Those are known as directed broadcasts, and they've been known
   smb> to be a bad idea since 1998

Yeah,

net.inet.ip.directed-broadcast = 0

off by default.  As I understand it, the old Smurf DoS amplicification
requires directed broadcasts to be allowed.  But the sysctl seems to
affect only whether directed broadcasts are forwarded by a NetBSD
router, not whether they're honored by a NetBSD end system.

06:53:54.399092 IP 192.168.1.1 > 192.168.3.255: icmp 64: echo request seq 1
06:53:54.399571 IP 192.168.3.102 > 192.168.1.1: icmp 64: echo reply seq 1
06:53:54.399656 IP 192.168.3.94 > 192.168.1.1: icmp 64: echo reply seq 1
06:53:54.401359 IP 192.168.3.54 > 192.168.1.1: icmp 64: echo reply seq 1

meh.  IIRC routers not forwarding them was the official way everyone
dealt with Smurf, but maybe there is an argument for changing echo
reply behavior, too.

--pgp-sign-Multipart_Sun_Jan_23_02:00:43_2005-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQCVAwUAQfNLp4nCBbTaW/4dAQIYzwP9FrSD7x+Lo92EV0Dk8YwUmS41H7Izokak
PXK/Di7DA4U81DHRCiLNEbLZTMLfFOl9/SA7AgAPwQqQP3TgLMQJV53oxsZ+tAyr
ceITGnC/d72mLA+6tGAN5R6H1WLv6eQq6s/1W8xhAxflaP/7uLh8bUuddpOUUftM
JZQM6MuY1ZY=
=XSRi
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Sun_Jan_23_02:00:43_2005-1--