North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Filtering ICMP (Was Re: SMURF amplifier block list)
Thus spake Alex P. Rudnev > deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm echo-request log > > to prevent smurf originating, or > > deny icmp any aaa.bbb.ccc.ddd www.ccc.nnn.mmm echo-reply > > to prevent smurf flooding into your network. > > No important ICMP are affected this case. Depends what you (or your users) consider important. Consider that users think that they understand networking because they know how to ping or traceroute and your support lines will be busy explaining that you aren't really down just because they can't traceroute to you. We have a little script that looks at network usage and when it sees a spike in traffic it temporarily blocks echo-reply in. It isn't perfect but it helps. We know what our normal traffic is and when it goes much higher we kick the filter into place. If the script makes a mistake and blocks when it isn't really an attack then we haven't actually cut anyone off but we don't flood our downstreams when there is an actual attack. -- D'Arcy J.M. Cain <[email protected]{druid|vex}.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 424 2871 (DoD#0082) (eNTP) | what's for dinner.
|