Firewall stateful handling of ICMP packets
Steve Francis
steve at expertcity.com
Thu Dec 4 03:46:43 UTC 2003
Jamie Reid wrote:
>Personal view:
>
>This was a problem when filtering Nachi while it pinged networks
>to their knees.
>
>Sometimes I wonder if there is any legitimate reason to allow
>pings from users at all
>
>ICMP echos are a bit of a hack and, quite literally, noise,
>and I wonder if it may be time to consider unofficially
>retiring them using filters.
>
>
If every ISP rate limited icmp's on ingress (from customers and net) to
some reasonable rate (I use 2Mbps), then you protect the net from attack
impacts, have no impact on customers during normal times, and break
nothing essential during times of attack (as opposed to, say, SYN rate
limiting, which just lowers the bar for an attacker.)
Of course, this assumes that the equipment can do such policing in
hardware, or with negligible impact...
Totally filtering ICMP echoes would raise lots of user hackles...
More information about the NANOG
mailing list