On Wed, 09 Oct 2002 22:43:50 PDT, Steve Francis said:
That's not terribly hard to overcome - allow icmp unreachables (from any source) in your acl, then deny all traffic from RFC 1918 addresses, then the rest of the ACL.
Combined with CAR (or CatOS QoS rate limiting) on icmp's, you end up with all the functionality, and almost none of the bogus traffic.
Amazingly enough, although there's a number of offenders in the 1918-numbered tunnel category, we decided it was easier to just not worry about talking to those provider's victi^H^H^H^H^Hcustomers(*). We got tired of watching all the DDoS-backscatter ICMP that *also* shows up with 1918 addresses on it. When those show up, it means that some provider didn't filter whoever was forging our address *AND* some provider wasn't filtering the 1918-sourced ICMP. The fact it's probably two different providers is enough to make you give up trying to do something nice for the net and just go have too many beers instead.;) /Valdis (*) The problem usually tends to be self-correcting - the host that got bit the most was our Listserv machine - and if outbound mail got hosed up for TOO long, it would bounce, the victim would get unsubscribed, and no more problems - at least till they manage to resubscribe. Life got much nicer once I made sure the "You must now confirm your subscription" message was long enough to always trigger a 'frag needed'. ;)