[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[linux-security] Re: ICMP



On Mon, 28 Feb 2000, wulfman wrote:

> After the recent attacks on the major servers on the web my ISP has
> decided to stop all ICMP messages from his ISP.
> 
> I have red the RFCs and it seems that he cant do that... As a result
> pings and traceroutes will not work.
> 
> I need a friendly person out there to tell me a way to break the news to
> him that he has to allow ICMP packets

Some ICMP packets are essential. Think of the 'destination unreachable'
you get when you connect to a server that is missing a service. If you
have to wait for the timeout you waste a lot of time.

I think (but it's of the top of my head) that some sort of ICMP messages
are listed as 'required' so removing them actually breaks with the
standard.

While some ICMP filtering could be considered a service this is actually
breaking things down and the collateral damage is greater then the target
intended. (I know UUNET NL refused to filter ICMP even when I asked them
to do so for a periode of a few hours as they claim it would break the
standard.)

Hugo.

[mod: And I know that they (UUNET-NL) filter all ICMP to/from at least
one other ISPs such that the standards indeed break: Instead of going
the extra mile and filtering just ICMP echos, they filter all ICMP,
breaking e.g. path MTU discovery. -- REW]

-- 
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij caiw nl	http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Use of any of my email addresses for unsollicited (commercial)
    email is a clear intrusion of my privacy and illegal!



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]