North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [nsp] known networks for broadcast ping attacks

  • From: David P. Maynard
  • Date: Tue Aug 12 07:21:01 1997

Eric Wieling wrote:
> We recently implemented outbound filters for our network.  It's
> rather draconion, but it's effectiveand we've had no complaints yet. 
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.
> [...]
> We also block all inbound inbound ICMP 0/0 (echo request) and and a
> bunch of other things.
> 
> --Eric

You should probably allow more ICMP types.  In particular, allowing the ones used by Path MTU discovery will make your life easier.  Trying to track down bizarre sounding connection problems that turn out to be Path MTU discovery failures can make for an interesting day, but it gets old after awhile.  I think there was a discussion here a few weeks ago on ICMP filters, so I would check the archives for details.

-dpm

-- 
 David P. Maynard, Flametree Corporation
 EMail: [email protected],  Tel: +1 512 670 4090,  Fax: +1 512 251 8308
--