North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ICMP Attacks???????

  • From: Alex.Bligh
  • Date: Sat Aug 16 05:19:54 1997

[email protected] said:

> Aug 15 20:04:45.087 MST: %SEC-6-IPACCESSLOGDP: list 199 permitted icmp
> (Fddi6/0 0060.7017.a188) -> (0/0), 1 packet

I'm pretty sure this is a new feature. Wow. Useful. That's exactly
what I wanted. Given you are doing this I take it it's in 11.1.11CA1.

> Hope I haven't overlooked something obvious here .. but I'm sure that
> if a did someone will "enlighten" me ;-)  Of course, the one obvious
> thing I didn't mention is that if everyone were to deploy ingress
> filtering, this would be much, much easier to control.

The other nice solution would be an inverse traceroute that went
back to each router in turn, passing it a bit of BPF saying "where
are you getting packets like this from please?". If such a protocol
existed, this would allow trace back to source (or at least trace
back to the point where the protocol wasn't supported) which would
automate most of the tracking and reduce the need to persuade
NOCs to cooperate. There are obviously security concerns in allowing
3rd parties to remotely apply packet tracking in your network, but
I'm sure with a cold flannel applied to forehead these could be
worked through. RFC time anyone?

Alex Bligh
Xara Networks