Firewall stateful handling of ICMP packets

• Previous message (by thread): Firewall stateful handling of ICMP packets
• Next message (by thread): Firewall stateful handling of ICMP packets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jamie Reid wrote:

>Personal view: 
>
>This was a problem when filtering Nachi while it pinged networks
>to their knees. 
>
>Sometimes I wonder if there is any legitimate reason to allow 
>pings from users at all 
>
>ICMP echos are a bit of a hack and, quite literally, noise, 
>and I wonder if it may be time to consider unofficially 
>retiring them using filters. 
>  
>
If every ISP rate limited icmp's on ingress (from customers and net) to 
some reasonable rate (I use 2Mbps), then you protect the net from attack 
impacts, have no impact on customers during normal times, and break 
nothing essential during times of attack (as opposed to, say, SYN rate 
limiting, which just lowers the bar for an attacker.)

Of course, this assumes that the equipment can do such policing in 
hardware, or with negligible impact...
Totally filtering ICMP echoes would raise lots of user hackles...

• Previous message (by thread): Firewall stateful handling of ICMP packets
• Next message (by thread): Firewall stateful handling of ICMP packets
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]