ICMP filtering, was Re: ICANN Targets DDoS Attacks
Rob Thomas
robt at cymru.com
Wed Oct 30 15:36:03 UTC 2002
Hi, Rafi!
How's things?
] I find it hard to believe You have no thoughts about:
Oh, you know me; I have a thought about everything. :)
] 1) rate-limiting ICMP
This is covered in the Secure IOS Template, though it likely should be
added to the ICMP filtering list as well. I very much like the example
posted by Jared, so I may steal that as well (*waves to Jared*). :)
] 2) passing ICMP "statefully"
] (that is for example ICMP echo reply only accepted in reply to an ICMP echo)
Ah, yeah... I've seen a lot of problems with stateful inspection of
ICMP flows. In short, I've not seen it work consistently. Enlightenment
is welcome. :)
] 3) DoS problems related to ICMP unreachables
This is also covered in the Secure IOS Template; I recommend disabling
them. Barry has already given me the syntax to rate limit them, which
is something I need to add to the Secure IOS Template. I need more
time and more coffee. :)
http://www.cymru.com/Documents/secure-ios-template.html
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);
More information about the NANOG
mailing list