[nsp] known networks for broadcast ping attacks

Eric Wieling eric at cronus.ccti.net
Tue Aug 12 04:06:01 UTC 1997

Some time ago Rick Watson said:

> The filters need to be higher up the chain. EVERYONE needs to install
> anti-spoof filters. 
> I'd prefer not to be forced to filter out all pings. Everyone
> filtering out ICMP packets means there is a 100% successful denial of
> service attack on what is otherwise a very useful debugging tool
> (ping). 

We recently implemented outbound filters for our network.  It's
rather draconion, but it's effectiveand we've had no complaints yet. 
We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
with source addresses on our network That's all.  It does not
eliminate ping floods, but at least the source address will be
traceable to us.  (Yes, our whois information is up to date 8-). 
Granted, that means that we don't send out TTL exceeded (so people
can't traceroute into us), we don't send out destination, host, or
network unreachable, so if people try to access a host/port/network
that does not exist, they have to wait and wait for their local TCP
stack to time out.  It is my belief that people should not be
pinging, tracerouting, into our network and that people should not be
trying to access hosts that don't exist.

We also block all inbound inbound ICMP 0/0 (echo request) and and a
bunch of other things.


Eric Wieling (eric at ccti.net), Corporate Communications Technology
Sales: 504-585-7303 (sales at ccti.net), Support: 504-525-5449 (support at ccti.net)

A BellSouth Communications Specialist.  No, I don't work for BellSouth, I'm
just on the phone with them so much that I'm an expert at getting them to do

More information about the NANOG mailing list