nanog mailing list archives
Re: Firewall stateful handling of ICMP packets
From: Steve Francis <steve () expertcity com>
Date: Wed, 03 Dec 2003 19:46:43 -0800
Jamie Reid wrote:
Personal view:If every ISP rate limited icmp's on ingress (from customers and net) to some reasonable rate (I use 2Mbps), then you protect the net from attack impacts, have no impact on customers during normal times, and break nothing essential during times of attack (as opposed to, say, SYN rate limiting, which just lowers the bar for an attacker.)This was a problem when filtering Nachi while it pinged networksto their knees. Sometimes I wonder if there is any legitimate reason to allow pings from users at all ICMP echos are a bit of a hack and, quite literally, noise, and I wonder if it may be time to consider unofficially retiring them using filters.
Of course, this assumes that the equipment can do such policing in hardware, or with negligible impact...
Totally filtering ICMP echoes would raise lots of user hackles...
Current thread:
- Re: Firewall stateful handling of ICMP packets Jamie Reid (Dec 03)
- Re: Firewall stateful handling of ICMP packets Steve Francis (Dec 03)
- Re: Firewall stateful handling of ICMP packets Jeff Kell (Dec 03)
- Re: Firewall stateful handling of ICMP packets Adi Linden (Dec 03)
- Re: Firewall stateful handling of ICMP packets Joe Abley (Dec 03)
- Re: Firewall stateful handling of ICMP packets Sean Donelan (Dec 04)
- Re: Firewall stateful handling of ICMP packets Joe Abley (Dec 04)
- Re: Firewall stateful handling of ICMP packets Adi Linden (Dec 04)
- NANOG spam survey Doug Luce (Dec 04)
- Re: Firewall stateful handling of ICMP packets Petri Helenius (Dec 04)
- Re: Firewall stateful handling of ICMP packets Joe Abley (Dec 03)