Le mardi 19 décembre 2006 à 19:53 +0100, Martijn Lievaart a écrit : > ICMP filtering is not tricky. Just remember the rules. > 1) NEVER, EVER, EVER filter out fragmentation needed. ;) > 2) You may filter out ping, and the various destination unreachables, > the consequences are yours. Actually, Fragmentation Needed is one of various Destination Unreachable message... Type 3, code 4. > 3) Everything else can be filtered without consequences. Time Exceeded ? > If you mean, it is hard for a firewall to filter malicious ICMPs but not > beneign ICMPs, the we agree. That was my point. > I have not heard of an fragmentation needed attack yet, but I can > imagine it happening (analogous to the zero windowsize attack). You can use Frag Needed to degrade performances. See section 7 of: http://www.gont.com.ar/drafts/icmp-attacks/draft-ietf-tcpm-icmp-attacks-01.txt You can also use Source Quench. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
