[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    Re: [nsp] known networks for broadcast ping attacks
From:       "David P. Maynard" <dpm () flametree ! com>
Date:       1997-08-12 11:04:29
[Download RAW message or body]


Eric Wieling wrote:
> We recently implemented outbound filters for our network.  It's
> rather draconion, but it's effectiveand we've had no complaints yet. 
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.
> [...]
> We also block all inbound inbound ICMP 0/0 (echo request) and and a
> bunch of other things.
> 
> --Eric

You should probably allow more ICMP types.  In particular, allowing the ones used by \
Path MTU discovery will make your life easier.  Trying to track down bizarre sounding \
connection problems that turn out to be Path MTU discovery failures can make for an \
interesting day, but it gets old after awhile.  I think there was a discussion here a \
few weeks ago on ICMP filters, so I would check the archives for details.

-dpm

-- 
 David P. Maynard, Flametree Corporation
 EMail: dpm@flametree.com,  Tel: +1 512 670 4090,  Fax: +1 512 251 8308
--


[prev in list] [next in list] [prev in thread] [next in thread]