[53073] in North American Network Operators' Group
Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks
daemon@ATHENA.MIT.EDU (Rafi Sadowsky)
Wed Oct 30 01:15:27 2002
Date: Wed, 30 Oct 2002 08:14:49 +0200 (IST)
From: Rafi Sadowsky <rafi@meron.openu.ac.il>
To: Rob Thomas <robt@cymru.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <ROTMAILER.0210291953520.18656-100000@dragon.sauron.net>
Errors-To: owner-nanog-outgoing@merit.edu
## On 2002-10-29 19:55 -0600 Rob Thomas typed:
RT>
RT> Hi, NANOGers.
RT>
RT> ] ICMP?
RT>
RT> I have my own thoughts on ICMP filtering, which you will find here:
RT>
RT> http://www.cymru.com/Documents/icmp-messages.html
RT>
RT> I don't claim to have correct thoughts, however, so input and suggestions
RT> are always welcome. :) If anyone could pick up a NANOG t-shirt for me,
RT> that would be welcome as well. :)
Hi Rob
I find it hard to believe You have no thoughts about:
1) rate-limiting ICMP
2) passing ICMP "statefully"
(that is for example ICMP echo reply only accepted in reply to an ICMP echo)
3) DoS problems related to ICMP unreachables
--
Regards,
Rafi
RT>
RT> Thanks,
RT> Rob.
RT>
