Some time ago Rick Watson said:
The filters need to be higher up the chain. EVERYONE needs to install anti-spoof filters.
I'd prefer not to be forced to filter out all pings. Everyone filtering out ICMP packets means there is a 100% successful denial of service attack on what is otherwise a very useful debugging tool (ping).
We recently implemented outbound filters for our network. It's rather draconion, but it's effectiveand we've had no complaints yet. We allow outbound TCP, UDP, GRE, and outbound ICMP 0/0 (echo request) with source addresses on our network That's all. It does not eliminate ping floods, but at least the source address will be traceable to us. (Yes, our whois information is up to date 8-). Granted, that means that we don't send out TTL exceeded (so people can't traceroute into us), we don't send out destination, host, or network unreachable, so if people try to access a host/port/network that does not exist, they have to wait and wait for their local TCP stack to time out. It is my belief that people should not be pinging, tracerouting, into our network and that people should not be trying to access hosts that don't exist. We also block all inbound inbound ICMP 0/0 (echo request) and and a bunch of other things. --Eric -- Eric Wieling (eric@ccti.net), Corporate Communications Technology Sales: 504-585-7303 (sales@ccti.net), Support: 504-525-5449 (support@ccti.net) A BellSouth Communications Specialist. No, I don't work for BellSouth, I'm just on the phone with them so much that I'm an expert at getting them to do things.