Well, I speak as a content provider instead of a service provider, your rules are a little different. later- Devin Anderson Network Engineer Lycos, Inc. Brandon Ross <bross@mindspring.net> on 01/13/99 02:29:41 AM To: nanog@merit.edu cc: (bcc: Devin Anderson/Lycos) Subject: Re: Solution: Re: Huge smurf attack On Tue, 12 Jan 1999 danderson@lycos.com wrote:
Only I'm allowing the echo-reply so I can ping/traceroute out for my troubleshooting needs. However, I don't buy the 'it breaks testing methods' because there are other ways to test that using icmp for incoming stuff. Yes, but, do you have any idea how many tech support calls would be generated by our customers complaining that they can't ping or be pinged? Our service is advertised as unrestricted Internet access. Our customers rightfully expect to be able to ping out as well as be pinged. If we blocked all echo throughout our network, we would be completed flooded with technical support calls. Doing something like this, similar to the serveral suggestions to filter all .0 and .255 addresses, is an attempt to fix the symptom instead of the real problem. Plus, you STILL have directed broadcasts turned off in my scenario so the access list is almost futile. Of course. Brandon Ross Network Engineering 404-815-0770 800-719-4664 Director, Network Engineering, MindSpring Ent., Inc. info@mindspring.com ICQ: 2269442 Stop Smurf attacks! Configure your router interfaces to block directed broadcasts. See http://www.quadrunner.com/~chuegen/smurf.cgi for details.