Kudos to Rob Thomas for addressing this in a quick how-to guide, as I
think it will answer your question...
http://www.enteract.com/~robt/Docs/Articles/icmp-messages.html
You are better off allowing a specific subset of ICMP and rate limiting
it. This way you have the best of both worlds, and you won't break
things too badly like source quench, path MTU, unreachable messages,
etc...
-- steve
-----Original Message-----
From: fingers [mailto:fingers@fingers.co.za]
Sent: Wednesday, March 27, 2002 11:39 PM
To: Birsen Ozturk
Cc: cisco-nsp@puck.nether.net
Subject: Re: [nsp] icmp blocking
Hi
> I was looking for information about denying ICMP packets accross the
> backbone. What is the efficient/reccomended way of doing it? What are
the
> drawbacks and maybe workarounds? I feel like if the backbone devices
are
> open to ICMP they are vulnerable to DoS attacks. Any
idea/reccomendation
> is welcome.
You may wish to think about rate-limiting it instead of denying it
outright.
Regards
--Rob
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT