Re: ICMP types

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



just deny pings to the broadcast address and this can be eliminated, and this can be done in sysctl, does not require iptables rules and overhead.

This will take care of traffic that was destined to a broadcast address, but not traffic that was destined to your IP directly. I have known many a person say that it is better to DROP the ICMP traffic coming in on your WAN / INet interface so that you don't become part of a DDoS. Usually the idea behind this is for multiple owned boxen to ping some other box at random with a spoofed source address in the ICMP packet. This effectively will cause the recipient of the ICMP packets to reply to the system that is to be DDoSed. This is an issue on the internet at large still these days. It would not take too many owned boxen connected to cable modems or DSL modems (or higher speed connections) spewing out spoofed ICMP packets to ultimately cause a DDoS against an unwilling target. If the average CM's upload is 512 kbps and you have a 1000 owned boxen spewing out spoofed ICMP echos as fast as they can you would end up with approximately 500 Mbps worth of inbound ICMP echo repl ies (if the packet that was sent was an ICMP echo request) destined to the one target (assuming that the owned boxen sent with the same spoofed IP). A LOT of people want to prevent them selves from becoming a reflector in such a DDoS.



Grant. . . .


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux