Le mercredi 21 décembre 2005 à 08:45 -0500, Derick Anderson a écrit : > I know that some networks just drop all ICMP to prevent traceroutes but > recently I've been been seeing problems related to fragementation and > MTU and wondering if dropping ICMP is causing some of that (since > Fragementation Needed packets can't get through). On the flip side of > that there's the Source Quench and Fragmentation Needed DoS attacks > which have recently become mildly popular (I've gotten a few hits on > Snort but not that many). ICMP is part of IP mechanisms. Break ICMP, you break IP. That's just as simple as this. Regarding "recent" ICMP DoSes, protections have been proposed (and added) to mitigate them, such as TCP sequence number check in ICMP citation. In addition to this, Netfilter, unlike some popular proprietary products, provide a proper stateful ICMP filtering. Just use it. Valid ICMP errors will fall into RELATED state, others will be INVALID. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
