At 11:48 AM -0500 12/8/97, Karl Denninger wrote:
On Fri, Dec 05, 1997 at 10:05:13PM -0700, Wayne Bouchard wrote:
Okay, so I'm now blocking 45 megs of icmp echo-reply packets at my borders.. At one point, this was 80,000 packets/sec. (No, I'm not exagerating.)
<SoapBox>
For anyone who has not, PLEASE DISABLE DIRECTED BROADCASTS!
Yes. Disable directed broadcasts to your own internal networks. I suspect these are most often sent by mis-configured snmp management systems. You probably don't want them trying the manage/monitor your devices anyway. Just don't break SNMP and ICMP for remote networks. For example, we use SNMP (HP Open View) to manage and monitor our clients networks remotely. HP Open View uses pings every 5 to 15 minutes to detect if a machine is still up. It uses directed broadcasts and mask requests to detect new machines and map the remote network. When something 'host down' event happens, we automatically detect whether it's an ISP event or a customer event, and take the appropriate action. We expect intermediary ISP's to pass ICMP from our network to their network. So directed broadcasts to the customer network should be controlled by the customer's policy, even when the CPE router is managed by the ISP. (I don't know of any ISP/NSP that doesn't or won't do this).
Tell a friend.. If you sell routers to clients and/or you configure them, include that in your default configuration.
Yes, do that. we need more work of the simple, but expensive kind. ;-)
Encourage people to filter inbound ICMP where possible..
Umm. No. Don't do that. ICMP is necessary for flow control and congestion management. Not to mention traceroute and ping use echo reply, and are handy. If you have 80,000 users each doing a ping once per second, then you probably need to provision more than a t3. But only 30 t1 users need to ping -f to load up a t3. So you need to figure out who the 30 or so are, and shut them down quickly. What might be more useful is a way to detect ping floods from a specific source, and automatically send them back source quenches. That is, tell them to shut their hole, uh, pipe. Umm, program to do this? me? maybe. I'll post when/if I do it. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++