[11489] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (root@gannett.com)
Wed Jul 30 18:02:28 1997
From: root@gannett.com
Date: Wed, 30 Jul 1997 17:20:00 -0400 (EDT)
To: Netstat Webmaster <feh@netstat.net>
cc: Systems Engineer <snash@lightning.net>, "Alex.Bligh" <amb@xara.net>,
nanog@merit.edu
In-Reply-To: <Pine.BSI.3.91.970730164810.5940B-100000@wwwlab.com>
> The real problem I see with this particular attack is that there is
> nothing short of blocking all ICMPs that 'victim.com' can do. At least
> not that I am aware of.
Well, I've been filtering ICMP for quite a while at my border routers,
and other than the occasional braindead sendmail configuration, and
the fact that Solaris ping can't handle the "Administratively prohibited"
return from the IOS filter rule, I've yet to see a major downside.
We have a very large quantity of people hitting our network every day.
Is there a specific reason that you can see to allow ICMP inbound to
a 'victim.com'? Or at least to more than a handful of specific
addresses? Perhaps there's a better solution with some sort of ICMP
"proxy" at or just behind the router?
Paul
-------------------------------------------------------------------------
Paul D. Robertson
gatekeeper@gannett.com
