North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [nsp] known networks for broadcast ping attacks

  • From: Miquel van Smoorenburg
  • Date: Tue Aug 12 12:11:13 1997
  • Distribution: cistron
  • Newsgroups: lists.nanog

In article <[email protected]>,
Eric Wieling  <[email protected]> wrote:
>We recently implemented outbound filters for our network.  It's
>rather draconion, but it's effectiveand we've had no complaints yet. 
>We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
>with source addresses on our network That's all.  It does not
>eliminate ping floods, but at least the source address will be
>traceable to us.  (Yes, our whois information is up to date 8-). 
>Granted, that means that we don't send out TTL exceeded (so people
>can't traceroute into us), we don't send out destination, host, or
>network unreachable, so if people try to access a host/port/network
>that does not exist, they have to wait and wait for their local TCP
>stack to time out.  It is my belief that people should not be
>pinging, tracerouting, into our network and that people should not be
>trying to access hosts that don't exist.

So, if you filter out all ICMP messages, do you also filter out
ICMP unreachables? If so, you're also filtering the ICMP unreach/fragmentation
needed message. Which means that MTU discovery doesn't work over your network.
Which in turn means that lots of TCP stacks will not be able to connect
to your network...

Just FYI

| Miquel van Smoorenburg |                                                    |
| [email protected]     | Owners of digital watches, your days are numbered. |
|     PGP fingerprint: FE 66 52 4F CD 59 A5 36  7F 39 8B 20 F1 D6 74 02       |