Re: [nsp] known networks for broadcast ping attacks

["David P. Maynard" <dpm () flametree com>]

Eric Wieling wrote:
> We recently implemented outbound filters for our network.  It's
> rather draconion, but it's effectiveand we've had no complaints yet. 
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.
> [...]
> We also block all inbound inbound ICMP 0/0 (echo request) and and a
> bunch of other things.
>
> --Eric

You should probably allow more ICMP types.  In particular, allowing the ones used by Path MTU discovery will make your 
life easier.  Trying to track down bizarre sounding connection problems that turn out to be Path MTU discovery failures 
can make for an interesting day, but it gets old after awhile.  I think there was a discussion here a few weeks ago on 
ICMP filters, so I would check the archives for details.

-dpm

-- 
 David P. Maynard, Flametree Corporation
 EMail: dpm () flametree com,  Tel: +1 512 670 4090,  Fax: +1 512 251 8308
--