Re: ICMP Attacks???????

[David Ross <ross () rce com>]

"Alex.Bligh" writes:
> danny () genuity net said:
>
> > Aug 15 20:04:45.087 MST: %SEC-6-IPACCESSLOGDP: list 199 permitted icmp
> > 1.1.1.1 (Fddi6/0 0060.7017.a188) -> 192.41.177.255 (0/0), 1 packet
>
> I'm pretty sure this is a new feature. Wow. Useful. That's exactly
> what I wanted. Given you are doing this I take it it's in 11.1.11CA1.
>
> > Hope I haven't overlooked something obvious here .. but I'm sure that
> > if a did someone will "enlighten" me ;-)  Of course, the one obvious
> > thing I didn't mention is that if everyone were to deploy ingress
> > filtering, this would be much, much easier to control.
>
> The other nice solution would be an inverse traceroute that went
> back to each router in turn, passing it a bit of BPF saying "where
> are you getting packets like this from please?". If such a protocol
> existed, this would allow trace back to source (or at least trace
> back to the point where the protocol wasn't supported) which would
> automate most of the tracking and reduce the need to persuade
> NOCs to cooperate. There are obviously security concerns in allowing
> 3rd parties to remotely apply packet tracking in your network, but
> I'm sure with a cold flannel applied to forehead these could be
> worked through. RFC time anyone?
>
> Alex Bligh
> Xara Networks