RE: [nsp] icmp blocking

• Next message: Gert Doering: "Re: [nsp] icmp blocking"
• Previous message: fingers: "Re: [nsp] icmp blocking"
• In reply to: fingers: "Re: [nsp] icmp blocking"
• Next in thread: Gert Doering: "Re: [nsp] icmp blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Kudos to Rob Thomas for addressing this in a quick how-to guide, as I
think it will answer your question...
http://www.enteract.com/~robt/Docs/Articles/icmp-messages.html

You are better off allowing a specific subset of ICMP and rate limiting
it. This way you have the best of both worlds, and you won't break
things too badly like source quench, path MTU, unreachable messages,
etc...

-- steve

-----Original Message-----
From: fingers [mailto:fingers@fingers.co.za]
Sent: Wednesday, March 27, 2002 11:39 PM
To: Birsen Ozturk
Cc: cisco-nsp@puck.nether.net
Subject: Re: [nsp] icmp blocking

Hi

> I was looking for information about denying ICMP packets accross the
> backbone. What is the efficient/reccomended way of doing it? What are
the
> drawbacks and maybe workarounds? I feel like if the backbone devices
are
> open to ICMP they are vulnerable to DoS attacks. Any
idea/reccomendation
> is welcome.

You may wish to think about rate-limiting it instead of denying it
outright.

Regards

--Rob

• Next message: Gert Doering: "Re: [nsp] icmp blocking"
• Previous message: fingers: "Re: [nsp] icmp blocking"
• In reply to: fingers: "Re: [nsp] icmp blocking"
• Next in thread: Gert Doering: "Re: [nsp] icmp blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:38 EDT