North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks
- From: Rob Thomas
- Date: Wed Oct 30 10:38:27 2002
Hi, Rafi!
How's things?
] I find it hard to believe You have no thoughts about:
Oh, you know me; I have a thought about everything. :)
] 1) rate-limiting ICMP
This is covered in the Secure IOS Template, though it likely should be
added to the ICMP filtering list as well. I very much like the example
posted by Jared, so I may steal that as well (*waves to Jared*). :)
] 2) passing ICMP "statefully"
] (that is for example ICMP echo reply only accepted in reply to an ICMP echo)
Ah, yeah... I've seen a lot of problems with stateful inspection of
ICMP flows. In short, I've not seen it work consistently. Enlightenment
is welcome. :)
] 3) DoS problems related to ICMP unreachables
This is also covered in the Secure IOS Template; I recommend disabling
them. Barry has already given me the syntax to rate limit them, which
is something I need to add to the Secure IOS Template. I need more
time and more coffee. :)
http://www.cymru.com/Documents/secure-ios-template.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
|
