On Mon, Jul 03, 2000 at 11:12:31PM +0100, Alan Cox wrote: > > > Personally I suggest allowing the following ICMP types: > > > 0 Echo Reply > > > 3 Destination Unreachable > > > 11 Time Exceeded > > > 12 Parameter Problem > 0 is optional but useful, 11 can be used for certain kinds of DoS attack > against some hosts. Echo Reply is bad news since several of the DDoS zombies communicate by way of ICMP Echo Reply with encrypted payloads. > > > and dropping the rest (you must allow ICMP type 3). > > Why must type 3 be allowed? > It makes it possible to use TCP. Path MTU discovery requires destination > unreachable Bingo. Bad Juju. > > Wouldn't it make it harder to do portscans and similar things, if one drops all > > outgoing "Destination Unreachable" packets? > Far more productive is to fake connection accepts on all other ports 8) Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
