nanog mailing list archives

Re: Smurf tone down

From: sthaug () nethelp no
Date: Mon, 03 May 1999 22:00:52 +0200

access-list 175 permit icmp any any
int bleh/bleh
 rate-limit input access-group 175 128000 8000 8000 conform-action transmit exceed-action drop
 rate-limit output access-group 175 128000 8000 8000 conform-action transmit exceed-action drop


I agree, the above isn't all that hard.

However, I'd argue that the above is in some sense wrong.
There's no need to put all ICMP traffic in the same basket; some
ICMP traffic is required for e.g. path MTU discovery to work.
So, instead I'd use

access-list 175 permit icmp any any echo-reply


With all the smurf amplifiers available, it is of course easier to
generate several Mbps of ICMP Echo Reply than it is to generate large
amounts of other ICMP traffic.

However, if your network is exposed to several Mbps of inbound ICMP
*other* than Echo Reply, it may be equally bad for your network. So
I prefer to leave it as 'icmp any any'.

Steinar Haug, Nethelp consulting, sthaug () nethelp no

Current thread:

Re: Smurf tone down, (continued)
- - Re: Smurf tone down alex (May 01)
- Re: Smurf tone down Leo Bicknell (May 01)
  - Re: Smurf tone down alex (May 01)
    - Re: Smurf tone down Tim Winders (May 01)
    - Re: Smurf tone down alex (May 01)
    - Re: Smurf tone down Leo Bicknell (May 01)
    - Re: Smurf tone down Stephen Stuart (May 01)
    - Re: Smurf tone down Leo Bicknell (May 01)
    - Re: Smurf tone down bmanning (May 01)
    - Re: Smurf tone down Havard . Eidnes (May 03)
    - Re: Smurf tone down sthaug (May 03)
    - Re: Smurf tone down Havard . Eidnes (May 05)
- Re: Smurf tone down Ron Buchalski (May 03)