ICMP filtering, was Re: ICANN Targets DDoS Attacks

• Previous message (by thread): ICMP filtering, was Re: ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, Rafi!

How's things?

]  I find it hard to believe You have no thoughts about:

Oh, you know me; I have a thought about everything.  :)

]   1) rate-limiting ICMP

This is covered in the Secure IOS Template, though it likely should be
added to the ICMP filtering list as well.  I very much like the example
posted by Jared, so I may steal that as well (*waves to Jared*).  :)

]   2) passing ICMP "statefully"
]  (that is for example ICMP echo reply only accepted in reply to an ICMP echo)

Ah, yeah...  I've seen a lot of problems with stateful inspection of
ICMP flows.  In short, I've not seen it work consistently.  Enlightenment
is welcome.  :)

]   3) DoS problems related to ICMP unreachables

This is also covered in the Secure IOS Template; I recommend disabling
them.  Barry has already given me the syntax to rate limit them, which
is something I need to add to the Secure IOS Template.  I need more
time and more coffee.  :)

http://www.cymru.com/Documents/secure-ios-template.html

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);

• Previous message (by thread): ICMP filtering, was Re: ICANN Targets DDoS Attacks
• Next message (by thread): ICANN Targets DDoS Attacks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]