From owner-freebsd-stable Wed Jan 23 0:27: 4 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.dev.itouchnet.net (devco.net [196.15.188.2]) by hub.freebsd.org (Postfix) with ESMTP id 3150037B41B for ; Wed, 23 Jan 2002 00:26:55 -0800 (PST) Received: from nobody by mx1.dev.itouchnet.net with scanned_ok (Exim 3.33 #2) id 16TIlx-000Gyd-00 for freebsd-stable@freebsd.org; Wed, 23 Jan 2002 10:28:45 +0200 Received: from shell.devco.net ([196.15.188.7]) by mx1.dev.itouchnet.net with esmtp (Exim 3.33 #2) id 16TIlv-000GyI-00; Wed, 23 Jan 2002 10:28:43 +0200 Received: from bvi by shell.devco.net with local (Exim 3.33 #4) id 16TIpX-0006rS-00; Wed, 23 Jan 2002 10:32:27 +0200 Date: Wed, 23 Jan 2002 10:32:27 +0200 From: Barry Irwin To: Tom Cc: "Robert D. Hughes" , freebsd-stable@freebsd.org Subject: Re: NATD, or another one I haven't seen before Message-ID: <20020123103227.F32746@itouchlabs.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from tom@uniserve.com on Tue, Jan 22, 2002 at 03:14:47PM -0800 X-Checked: This message has been scanned for any virusses and unauthorized attachments. X-iScan-ID: 65259-1011774525-12232@mx1.dev.itouchnet.net version $Name: REL_2_0_2 $ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue 2002-01-22 (15:14), Tom wrote: > > Lots of unused IPs is a denial of service vunerability. Port scanning them > will generate a lot of ARP activity, and force your gateway to buffer a lot of > traffic. Unused networks should be removed off of router interfaces, and > replaced with Null (blackhole) routes Fully agreed, however some ISP's are rather slack and one ends up having an arp-storm on the outside interface of your firewall :< Not much I can really think of to combat such a storm. In theory I suppose one could have a static arp entry to your defaultroute, and then configure the interface not to arp, although I'm not sure if this will prevent any handling of other systems arp traffic received on the interface. Barry -- Barry Irwin bvi@itouchlabs.com +27214875150 Systems Administrator: Networks And Security Itouch Labs http://www.itouchlabs.com South Africa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message