[11756] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Eric Wieling)
Tue Aug 12 00:33:21 1997
To: rick@akbar.cc.utexas.edu (Rick Watson)
Date: Mon, 11 Aug 1997 23:06:01 -0500 (CDT)
Cc: feh@netstat.net, snash@lightning.net, amb@xara.net, nanog@merit.edu
In-Reply-To: <199708120257.VAA27694@akbar.cc.utexas.edu> from "Rick Watson" at Aug 11, 97 09:57:31 pm
From: Eric Wieling <eric@cronus.ccti.net>
Some time ago Rick Watson said:
> The filters need to be higher up the chain. EVERYONE needs to install
> anti-spoof filters.
>
> I'd prefer not to be forced to filter out all pings. Everyone
> filtering out ICMP packets means there is a 100% successful denial of
> service attack on what is otherwise a very useful debugging tool
> (ping).
We recently implemented outbound filters for our network. It's
rather draconion, but it's effectiveand we've had no complaints yet.
We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
with source addresses on our network That's all. It does not
eliminate ping floods, but at least the source address will be
traceable to us. (Yes, our whois information is up to date 8-).
Granted, that means that we don't send out TTL exceeded (so people
can't traceroute into us), we don't send out destination, host, or
network unreachable, so if people try to access a host/port/network
that does not exist, they have to wait and wait for their local TCP
stack to time out. It is my belief that people should not be
pinging, tracerouting, into our network and that people should not be
trying to access hosts that don't exist.
We also block all inbound inbound ICMP 0/0 (echo request) and and a
bunch of other things.
--Eric
--
Eric Wieling (eric@ccti.net), Corporate Communications Technology
Sales: 504-585-7303 (sales@ccti.net), Support: 504-525-5449 (support@ccti.net)
A BellSouth Communications Specialist. No, I don't work for BellSouth, I'm
just on the phone with them so much that I'm an expert at getting them to do
things.
