Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks

  • From: Rob Thomas
  • Date: Wed Oct 30 10:38:27 2002

Hi, Rafi!

How's things?

]  I find it hard to believe You have no thoughts about:

Oh, you know me; I have a thought about everything.  :)

]   1) rate-limiting ICMP

This is covered in the Secure IOS Template, though it likely should be
added to the ICMP filtering list as well.  I very much like the example
posted by Jared, so I may steal that as well (*waves to Jared*).  :)

]   2) passing ICMP "statefully"
]  (that is for example ICMP echo reply only accepted in reply to an ICMP echo)

Ah, yeah...  I've seen a lot of problems with stateful inspection of
ICMP flows.  In short, I've not seen it work consistently.  Enlightenment
is welcome.  :)

]   3) DoS problems related to ICMP unreachables

This is also covered in the Secure IOS Template; I recommend disabling
them.  Barry has already given me the syntax to rate limit them, which
is something I need to add to the Secure IOS Template.  I need more
time and more coffee.  :)

http://www.cymru.com/Documents/secure-ios-template.html

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.