nanog mailing list archives

Re: ICMP Blocking Woes

From: Haesu <haesu () towardex com>
Date: Mon, 29 Sep 2003 13:15:32 -0400


<rant>
Providers blocking all ICMP = ignorant

I can't possibly stand any ISP's blocking _ALL_ ICMP (alas it is happening now, I already know 5 ISP's around my area 
who's doing this as I speak) for any reasons.

If you want to *cough*cough*mitigate*/cough*/cough* impact of so-called BLASTER, please please please for the love of 
god, just block echo/echo replies.

Not to mention blocking icmp will not help stop the propagation of the worm.

</rant>

-hc

-- 
Haesu C.
TowardEX Technologies, Inc.
Consulting, colocation, web hosting, network design and implementation
http://www.towardex.com | haesu () towardex com
Cell: (978)394-2867     | Office: (978)263-3399 Ext. 174
Fax: (978)263-0033      | POC: HAESU-ARIN

On Mon, Sep 29, 2003 at 09:43:14AM -0700, CA Windon wrote:


Dear NANOG-ers,

I work for an information security company that is
dependant upon ICMP for network mapping purposes
(read: traceroute).  On or about August 18, we were
told, our upstream provider began blocking ICMP
packets at its border in the Chicago NAP in an effort
to cut down on the propagation of 'MSBlast'.  This has
effected our ability to accurately map our customers
networks.

We've been in contact with an engineer in this
provider's NOC who is either unable or unwilling to
remove this ACL for our block of IPs.

Currently, we've been given two options.  (1) Deal
with the effect of the ACL until 'MSBlast' traffic
subsides, or (2) they are willing to reroute our
traffic out of the Chicago NAP to a border router
that, they claim, does not have the same ACL.  The
problem with option 2 is that they would force us to
renumber.  This is a problem for us, as it would
impact our customers as well.

What options can I take to my management that would
cause the least impact to the services we provide
while not causing undue work for our clients.  Also,
what other options could I suggest to my upstream
provider?

TIA,

C. Windon

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Current thread:

ICMP Blocking Woes CA Windon (Sep 29)
- Re: ICMP Blocking Woes Crist Clark (Sep 29)
- Re: ICMP Blocking Woes Haesu (Sep 29)
- Re: ICMP Blocking Woes mike harrison (Sep 29)
- Re: ICMP Blocking Woes Stephen J. Wilcox (Sep 29)
  - RE: ICMP Blocking Woes Eric Germann (Sep 29)
    - RE: ICMP Blocking Woes CA Windon (Sep 29)
    - Re: ICMP Blocking Woes Steven M. Bellovin (Sep 29)
    - Re: ICMP Blocking Woes Paul Timmins (Sep 29)
    - Re: ICMP Blocking Woes E.B. Dreger (Sep 29)
    - Re: ICMP Blocking Woes Geo. (Sep 30)
    - Re: ICMP Blocking Woes Eric Kagan (Sep 30)
    - Re: ICMP Blocking Woes Eric Kagan (Sep 30)

(Thread continues...)