[prev in list] [next in list] [prev in thread] [next in thread]
List: nanog
Subject: Re: [nsp] known networks for broadcast ping attacks
From: "David P. Maynard" <dpm () flametree ! com>
Date: 1997-08-12 11:04:29
[Download RAW message or body]
Eric Wieling wrote:
> We recently implemented outbound filters for our network. It's
> rather draconion, but it's effectiveand we've had no complaints yet.
> We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request)
> with source addresses on our network That's all.
> [...]
> We also block all inbound inbound ICMP 0/0 (echo request) and and a
> bunch of other things.
>
> --Eric
You should probably allow more ICMP types. In particular, allowing the ones used by \
Path MTU discovery will make your life easier. Trying to track down bizarre sounding \
connection problems that turn out to be Path MTU discovery failures can make for an \
interesting day, but it gets old after awhile. I think there was a discussion here a \
few weeks ago on ICMP filters, so I would check the archives for details.
-dpm
--
David P. Maynard, Flametree Corporation
EMail: dpm@flametree.com, Tel: +1 512 670 4090, Fax: +1 512 251 8308
--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic