|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Smurf tone down
> > access-list 175 permit icmp any any > > int bleh/bleh > > rate-limit input access-group 175 128000 8000 8000 conform-action transmit exceed-action drop > > rate-limit output access-group 175 128000 8000 8000 conform-action transmit exceed-action drop > > I agree, the above isn't all that hard. > > However, I'd argue that the above is in some sense wrong. > There's no need to put all ICMP traffic in the same basket; some > ICMP traffic is required for e.g. path MTU discovery to work. > So, instead I'd use > > access-list 175 permit icmp any any echo-reply With all the smurf amplifiers available, it is of course easier to generate several Mbps of ICMP Echo Reply than it is to generate large amounts of other ICMP traffic. However, if your network is exposed to several Mbps of inbound ICMP *other* than Echo Reply, it may be equally bad for your network. So I prefer to leave it as 'icmp any any'. Steinar Haug, Nethelp consulting, [email protected]
|