Re: [nsp] known networks for broadcast ping attacks

[miquels () cistron nl (Miquel van Smoorenburg)]

In article <E0wy8DZ-0002RT-00 () cronus ccti net>,
Eric Wieling  <eric () cronus ccti net> wrote:
> We recently implemented outbound filters for our network.  It's
> rather draconion, but it's effectiveand we've had no complaints yet. 
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.  It does not
> eliminate ping floods, but at least the source address will be
> traceable to us.  (Yes, our whois information is up to date 8-). 
> Granted, that means that we don't send out TTL exceeded (so people
> can't traceroute into us), we don't send out destination, host, or
> network unreachable, so if people try to access a host/port/network
> that does not exist, they have to wait and wait for their local TCP
> stack to time out.  It is my belief that people should not be
> pinging, tracerouting, into our network and that people should not be
> trying to access hosts that don't exist.

So, if you filter out all ICMP messages, do you also filter out
ICMP unreachables? If so, you're also filtering the ICMP unreach/fragmentation
needed message. Which means that MTU discovery doesn't work over your network.
Which in turn means that lots of TCP stacks will not be able to connect
to your network...

Just FYI

Mike.
-- 
| Miquel van Smoorenburg |                                                    |
| miquels () cistron nl     | Owners of digital watches, your days are numbered. |
|     PGP fingerprint: FE 66 52 4F CD 59 A5 36  7F 39 8B 20 F1 D6 74 02       |