[c-nsp] ICMP filtering for the ISP
Ted Mittelstaedt
tedm at toybox.placo.com
Tue Jan 23 04:15:01 EST 2007
----- Original Message -----
From: "Gert Doering" <gert at greenie.muc.de>
To: "J. Oquendo" <sil at infiltrated.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Monday, January 22, 2007 11:44 PM
Subject: Re: [c-nsp] ICMP filtering for the ISP
> Hi,
>
> On Mon, Jan 22, 2007 at 05:10:08PM -0500, J. Oquendo wrote:
> > Want to allow source quenches and unreachables...?
> >
> > C1 (posing as R2) --> source quench flood --> R1 ... Flaps
> > C1 (posing as R2) --> unreachable flood --> R1 ... flaps
>
> todays routers don't act on source quench ICMPs anyway.
It has alwasy been a violation of the standard for a router to pay
attention to source quench.
source quench is a host-to-host thing. Routers are supposed to be
transparent - they are neither to act on source quench NOR are they
to BLOCK it.
Any modern server operating system has rate limiting in it, that is
how you deal with so-called "source quench floods"
If your routers are being taken down by floods of any kind,
source quench or otherwise, that is a DoS attack. You should have
already configured your routers to ignore packets with a
destionation of the router, except from designated hosts.
Ted
More information about the cisco-nsp
mailing list