Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Filtering ICMP (Was Re: SMURF amplifier block list)

  • From: D'Arcy J.M. Cain
  • Date: Wed Apr 22 11:14:53 1998

Thus spake Alex P. Rudnev
>  deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm echo-request log
> 
> to prevent smurf originating, or
> 
>  deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm echo-reply
> 
> to prevent smurf flooding into your network.
> 
> No important ICMP are affected this case.

Depends what you (or your users) consider important.  Consider that
users think that they understand networking because they know how
to ping or traceroute and your support lines will be busy explaining
that you aren't really down just because they can't traceroute to you.

We have a little script that looks at network usage and when it sees
a spike in traffic it temporarily blocks echo-reply in.  It isn't
perfect but it helps.  We know what our normal traffic is and when
it goes much higher we kick the filter into place.  If the script
makes a mistake and blocks when it isn't really an attack then we
haven't actually cut anyone off but we don't flood our downstreams
when there is an actual attack.

-- 
D'Arcy J.M. Cain <darcy@{druid|vex}.net>   |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 424 2871     (DoD#0082)    (eNTP)   |  what's for dinner.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.