[11496] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Systems Engineer)
Wed Jul 30 18:37:54 1997
Date: Wed, 30 Jul 1997 18:03:25 -0400
From: Systems Engineer <snash@lightning.net>
To: root@gannett.com
CC: Netstat Webmaster <feh@netstat.net>, "Alex.Bligh" <amb@xara.net>,
nanog@merit.edu
Well to allow ICMP is good for just basic pinging of you or a
traceroute. I really dont care if other people can traceroute or ping
me so i just deny those lines i mentioned before, and all ICMP as a
whole.
Until the bug passes and/or gets fixed somehow, I am going to keep those
lines.
root@gannett.com wrote:
> On Wed, 30 Jul 1997, Systems Engineer wrote:
>
> > Well ever since this but was introduced to the outside world, I
> have
> > since modified my present Firewall (ipfwadm v2.3.0) to accomodate.
> >
> > type prot source destination ports
> > deny icmp 0.0.0.0 0.0.0.255 any
> > deny icmp 0.0.0.255 0.0.0.0 any
> >
>
> My rule is:
>
> deny icmp 0.0.0.0 0.0.0.0 any
>
> With perhaps specific permits above that for devices that I find have
> a legitimate need for ICMP (be it unreachables, or echo/echo reply).
>
> I was wondering more if there were a good reason, other than for
> dial-up
> users who may need connectivity checks, to allow any ICMP in, or ICMP
> to
> say anything more than a terminal server's address range and certain
> hosts.
>
> Hence my prior discussion on ping-mapping netblocks, and its lack of
> applicability to the number of hosts on my network.
>
> Paul
> ----
> --------------------------------------------------------------------
> Paul D. Robertson
> gatekeeper@gannett.com
--
--- --- --- --- --- --- --- --- ---
Steven Nash ph: (516)248-8400ext25
Systems Engineer / Network Security fax: (516)248-8897
Lightning Internet Services LLC email: snash@lightning.net
http://www.lightning.net
--- --- --- --- --- --- --- --- ---