[92580] in North American Network Operators' Group
Re: icmp rpf
daemon@ATHENA.MIT.EDU (Fernando Gont)
Tue Sep 26 08:04:16 2006
Date: Mon, 25 Sep 2006 17:35:13 -0300
To: Ian Mason <nanog@ian.co.uk>, Mark Kent <mark@noc.mainstreet.net>
From: Fernando Gont <fernando@frh.utn.edu.ar>
Cc: nanog@merit.edu
In-Reply-To: <BB6AC07F-1733-4AB8-AAFF-12E0FCBF8C0E@ian.co.uk>
Errors-To: owner-nanog@merit.edu
At 10:06 25/09/2006, Ian Mason wrote:
>>One of the largest North American network providers filters/drops
>>ICMP messages so that they only pass those with a source IP
>>address that appears in their routing table.
>
>This is clearly reasonable as part of an effort to mitigate ICMP
>based network abuse.
As a matter of fact, most ICMP-based attacks don't require spoofing
of the source IP address. You do have to spoof the addresses in the
"original datagram" included in the ICMP payload, though.
Kindest regards,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
