nanog mailing list archives
Re: [nsp] known networks for broadcast ping attacks
From: miquels () cistron nl (Miquel van Smoorenburg)
Date: 12 Aug 1997 08:57:39 +0200
In article <E0wy8DZ-0002RT-00 () cronus ccti net>, Eric Wieling <eric () cronus ccti net> wrote:
We recently implemented outbound filters for our network. It's rather draconion, but it's effectiveand we've had no complaints yet. We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request) with source addresses on our network That's all. It does not eliminate ping floods, but at least the source address will be traceable to us. (Yes, our whois information is up to date 8-). Granted, that means that we don't send out TTL exceeded (so people can't traceroute into us), we don't send out destination, host, or network unreachable, so if people try to access a host/port/network that does not exist, they have to wait and wait for their local TCP stack to time out. It is my belief that people should not be pinging, tracerouting, into our network and that people should not be trying to access hosts that don't exist.
So, if you filter out all ICMP messages, do you also filter out ICMP unreachables? If so, you're also filtering the ICMP unreach/fragmentation needed message. Which means that MTU discovery doesn't work over your network. Which in turn means that lots of TCP stacks will not be able to connect to your network... Just FYI Mike. -- | Miquel van Smoorenburg | | | miquels () cistron nl | Owners of digital watches, your days are numbered. | | PGP fingerprint: FE 66 52 4F CD 59 A5 36 7F 39 8B 20 F1 D6 74 02 |
Current thread:
- Re: [nsp] known networks for broadcast ping attacks Joe Provo - Network Architect (Aug 02)
- <Possible follow-ups>
- Re: [nsp] known networks for broadcast ping attacks Rick Watson (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Jon Lewis (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Eric Wieling (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks David P. Maynard (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Miquel van Smoorenburg (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Jonah Yokubaitis (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Jon Lewis (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Charles Sprickman (Aug 11)
- Re: [nsp] known networks for broadcast ping attacks Martin Cooper (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Greg Ketell (Aug 12)
- Message not available
- Re: [nsp] known networks for broadcast ping attacks Sharif Torpis (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Charles Sprickman (Aug 11)
- Message not available
- Re: [nsp] known networks for broadcast ping attacks Ran Atkinson (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Paul Ferguson (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Peter Giza (Aug 12)
- Re: [nsp] known networks for broadcast ping attacks Alan Barrett (Aug 13)