[11494] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (root@gannett.com)
Wed Jul 30 18:09:16 1997
From: root@gannett.com
Date: Wed, 30 Jul 1997 17:35:23 -0400 (EDT)
To: Systems Engineer <snash@lightning.net>
cc: Netstat Webmaster <feh@netstat.net>, "Alex.Bligh" <amb@xara.net>,
nanog@merit.edu
In-Reply-To: <33DFB454.9C3A370B@lightning.net>
On Wed, 30 Jul 1997, Systems Engineer wrote:
> Well ever since this but was introduced to the outside world, I have
> since modified my present Firewall (ipfwadm v2.3.0) to accomodate.
>
> type prot source destination ports
> deny icmp 0.0.0.0 0.0.0.255 any
> deny icmp 0.0.0.255 0.0.0.0 any
>
My rule is:
deny icmp 0.0.0.0 0.0.0.0 any
With perhaps specific permits above that for devices that I find have
a legitimate need for ICMP (be it unreachables, or echo/echo reply).
I was wondering more if there were a good reason, other than for dial-up
users who may need connectivity checks, to allow any ICMP in, or ICMP to
say anything more than a terminal server's address range and certain hosts.
Hence my prior discussion on ping-mapping netblocks, and its lack of
applicability to the number of hosts on my network.
Paul
-------------------------------------------------------------------------
Paul D. Robertson
gatekeeper@gannett.com
