nanog mailing list archives
Re: [nsp] known networks for broadcast ping attacks
From: Eric Wieling <eric () cronus ccti net>
Date: Mon, 11 Aug 1997 23:06:01 -0500 (CDT)
Some time ago Rick Watson said:
The filters need to be higher up the chain. EVERYONE needs to install anti-spoof filters. I'd prefer not to be forced to filter out all pings. Everyone filtering out ICMP packets means there is a 100% successful denial of service attack on what is otherwise a very useful debugging tool (ping).
We recently implemented outbound filters for our network. It's rather draconion, but it's effectiveand we've had no complaints yet. We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request) with source addresses on our network That's all. It does not eliminate ping floods, but at least the source address will be traceable to us. (Yes, our whois information is up to date 8-). Granted, that means that we don't send out TTL exceeded (so people can't traceroute into us), we don't send out destination, host, or network unreachable, so if people try to access a host/port/network that does not exist, they have to wait and wait for their local TCP stack to time out. It is my belief that people should not be pinging, tracerouting, into our network and that people should not be trying to access hosts that don't exist. We also block all inbound inbound ICMP 0/0 (echo request) and and a bunch of other things. --Eric -- Eric Wieling (eric () ccti net), Corporate Communications Technology Sales: 504-585-7303 (sales () ccti net), Support: 504-525-5449 (support () ccti net) A BellSouth Communications Specialist. No, I don't work for BellSouth, I'm just on the phone with them so much that I'm an expert at getting them to do things.
Current thread:
- Re: [nsp] known networks for broadcast ping attacks Joe Provo - Network Architect (Aug 02)
- <Possible follow-ups>
- Re: [nsp] known networks for broadcast ping attacks Rick Watson (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Jon Lewis (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Eric Wieling (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks David P. Maynard (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Miquel van Smoorenburg (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Jonah Yokubaitis (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Jon Lewis (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Charles Sprickman (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Martin Cooper (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Greg Ketell (Aug 12)
- Message not available
- Re: [nsp] known networks for broadcast ping attacks Sharif Torpis (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Charles Sprickman (Aug 11)
- Message not available
- Re: [nsp] known networks for broadcast ping attacks Ran Atkinson (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Paul Ferguson (Aug 12)