[53074] in North American Network Operators' Group
Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks
daemon@ATHENA.MIT.EDU (Rob Thomas)
Wed Oct 30 10:36:38 2002
Date: Wed, 30 Oct 2002 09:36:03 -0600 (CST)
From: Rob Thomas <robt@cymru.com>
To: NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.21.0210300808570.12801-100000@meron.openu.ac.il>
Errors-To: owner-nanog-outgoing@merit.edu
Hi, Rafi!
How's things?
] I find it hard to believe You have no thoughts about:
Oh, you know me; I have a thought about everything. :)
] 1) rate-limiting ICMP
This is covered in the Secure IOS Template, though it likely should be
added to the ICMP filtering list as well. I very much like the example
posted by Jared, so I may steal that as well (*waves to Jared*). :)
] 2) passing ICMP "statefully"
] (that is for example ICMP echo reply only accepted in reply to an ICMP echo)
Ah, yeah... I've seen a lot of problems with stateful inspection of
ICMP flows. In short, I've not seen it work consistently. Enlightenment
is welcome. :)
] 3) DoS problems related to ICMP unreachables
This is also covered in the Secure IOS Template; I recommend disabling
them. Barry has already given me the syntax to rate limit them, which
is something I need to add to the Secure IOS Template. I need more
time and more coffee. :)
http://www.cymru.com/Documents/secure-ios-template.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
