Smurf tone down

• Previous message (by thread): Smurf tone down
• Next message (by thread): Smurf tone down
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > access-list 175 permit icmp any any
> > int bleh/bleh
> >  rate-limit input access-group 175 128000 8000 8000 conform-action transmit exceed-action drop
> >  rate-limit output access-group 175 128000 8000 8000 conform-action transmit exceed-action drop
> 
> I agree, the above isn't all that hard.
> 
> However, I'd argue that the above is in some sense wrong.
> There's no need to put all ICMP traffic in the same basket; some
> ICMP traffic is required for e.g. path MTU discovery to work.
> So, instead I'd use
> 
> access-list 175 permit icmp any any echo-reply

With all the smurf amplifiers available, it is of course easier to
generate several Mbps of ICMP Echo Reply than it is to generate large
amounts of other ICMP traffic.

However, if your network is exposed to several Mbps of inbound ICMP
*other* than Echo Reply, it may be equally bad for your network. So
I prefer to leave it as 'icmp any any'.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

• Previous message (by thread): Smurf tone down
• Next message (by thread): Smurf tone down
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]