smurf

Mon Dec 8 18:15:37 UTC 1997

Adrian Chadd writes...

> A couple of problems:
> 
> * Filtering ALL ICMP is pretty silly, ICMP is there for more than just
>   pings, and some of it is important.

Such as MTU Discovery.  If your customers try to go down a path where the
MTU is smaller than what they are sending, and if their packets prohibit
fragmentation, ICMP is the only way to inform their stack to reduce the
size of the MTU.  Otherwise they may failures ranging from intermittent
to totality.  Intermittent ones would often be seen when just a small
amount of data sometimes gets through.  For example, an HTTP request could
be sent in a small packet, but posting a large form would not.

How many tech support people would know that the ability to get a page
and the inability to post a form could be caused by the customer's own
ISP blocking ICMP network unreachable?

So you need to leave "network unreachable" coming in.

Ref: "TCP/IP Illustrated, Volume 1, The Protocols", by W. Richard Stevens
See: page 340.

> * If people start doing this, someone with a smidgen of time on their
>   hands will write a ping flooder that uses random TCP or UDP packets
>   with spoofed from addresses.

Already been done.  I've had one of those for 4 years.

The ultimate solution to network security was published a few months ago
in the Dilbert series.

-- 
Phil Howard | suck5it2 at spammer8.edu end7it92 at s0p0a2m0.com suck1it8 at no6place.net
  phil      | end3it30 at no3where.edu stop7it1 at dumb6ads.net ads6suck at no8where.com
    at      | end6it68 at noplace0.net die6spam at anywhere.org no1spam0 at spam9mer.com
  milepost  | no1way40 at spammer0.org end2ads9 at spammer2.com blow8me2 at no3place.com
    dot     | suck3it7 at no62ads4.net no7spam7 at noplace0.edu no7spam8 at noplace1.net
  com       | blow2me9 at spammer0.com stop1659 at anyplace.com crash345 at lame2ads.com