North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Ping flooding (fwd)

  • From: Justin W. Newton
  • Date: Tue Jul 09 13:40:54 1996

At 10:43 PM 7/8/96 -0400, Todd Graham Lewis wrote:

>If you have a very restrictive security policy, then you might want to 
>place a packet filter on all outgoing traffic.  If your network is 
>10.1.1.64/26, then you might have the following two rules:
>
>action      source        destination
>------      ------        -----------
>
>allow	    10.1.1.64/26  *
>deny        *             *
>
>Of course, no one does this, because it is very time consuming for your 
>router to examine every packet in this way.  This translates into more 
>marginal cost on your hardware for very little return.
>
>Say that person X, the person who owns the network from which these pings 
>are apparently originating, did have such a filter.  What does this do?  
>It proves that the packets are not originating on his network.  Does it 
>stop anyone else from forging these packets?  No.

Actually it doesn't prove that.  The filter would /allow/ the pavckets to
pass through the router since they were coming from one of his networks.  If
everyone else on the planet had such a rule it would prove that it /was/
coming from him.


Justin Newton
Internet Architect
Erol's Internet Services

- - - - - - - - - - - - - - - - -