On Jun 27, 2007, at 10:26 PM, Chris L. Morrow wrote:
On Wed, 27 Jun 2007, Danny McPherson wrote:I think the fear expressed is that if you aren't careful and just drop all icmp (which is probably what happens in 99.9% of the 'i got icmp flooded' incidents) you'd run the risk of dropping the icmp 3/4 as well. This maymatter if, for instance, the attackee is a webserver sending back fullcontent packets (mtu 4400 fddi frames) and somewhere near the source ofthe request ethernet was the only viable media...I doubt this is a huge concern to the attackee, so long as most of their customers work, and it's fairly easily remedied if you filter the actualattack type/code only.
So how about this slight modification to the text: Some denial of service attacks are based on the ability to flood the victim with ICMP traffic. One quick way to mitigate the effects of such attacks is to drop all ICMP traffic headed toward the victim. It should be noted that one possibly negative implication of filtering all ICMP traffic towards a victim is that legitimate functions which rely upon successful delivery of ICMP messages to the victim (e.g., PMTU-D elicited ICMP Destination Unreachable - fragmentation needed error messages) will not be received by the victim. Or something of the sort...? -danny