nanog mailing list archives
Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks
From: Rob Thomas <robt () cymru com>
Date: Wed, 30 Oct 2002 09:36:03 -0600 (CST)
Hi, Rafi! How's things? ] I find it hard to believe You have no thoughts about: Oh, you know me; I have a thought about everything. :) ] 1) rate-limiting ICMP This is covered in the Secure IOS Template, though it likely should be added to the ICMP filtering list as well. I very much like the example posted by Jared, so I may steal that as well (*waves to Jared*). :) ] 2) passing ICMP "statefully" ] (that is for example ICMP echo reply only accepted in reply to an ICMP echo) Ah, yeah... I've seen a lot of problems with stateful inspection of ICMP flows. In short, I've not seen it work consistently. Enlightenment is welcome. :) ] 3) DoS problems related to ICMP unreachables This is also covered in the Secure IOS Template; I recommend disabling them. Barry has already given me the syntax to rate limit them, which is something I need to add to the Secure IOS Template. I need more time and more coffee. :) http://www.cymru.com/Documents/secure-ios-template.html Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Current thread:
- RE: ICANN Targets DDoS Attacks, (continued)
- RE: ICANN Targets DDoS Attacks fingers (Oct 29)
- Re: ICANN Targets DDoS Attacks Petri Helenius (Oct 29)
- Re: ICANN Targets DDoS Attacks Valdis . Kletnieks (Oct 29)
- Re: ICANN Targets DDoS Attacks Jeff Shultz (Oct 29)
- Re: ICANN Targets DDoS Attacks Jared Mauch (Oct 29)
- Re: ICANN Targets DDoS Attacks Jeff Shultz (Oct 29)
- Re: ICANN Targets DDoS Attacks Stephen J. Wilcox (Oct 29)
- Re: ICANN Targets DDoS Attacks Jared Mauch (Oct 29)
- ICMP filtering, was Re: ICANN Targets DDoS Attacks Rob Thomas (Oct 29)
- Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks Rafi Sadowsky (Oct 29)
- Re: ICMP filtering, was Re: ICANN Targets DDoS Attacks Rob Thomas (Oct 30)
- Message not available
- Re: ICANN Targets DDoS Attacks Jared Mauch (Oct 29)
- Re: ICANN Targets DDoS Attacks Brett Frankenberger (Oct 29)
- Re: ICANN Targets DDoS Attacks Peter E. Fry (Oct 29)
- Re: ICANN Targets DDoS Attacks Valdis . Kletnieks (Oct 29)
- Re: ICANN Targets DDoS Attacks Jared Mauch (Oct 29)
- RE: ICANN Targets DDoS Attacks fingers (Oct 29)
- Re: ICANN Targets DDoS Attacks bob (Oct 29)