On Sun, 28 Dec 1997, Bradley Reynolds wrote:
Huh? ICMP floods vs TCP floods. Aren't they both IP or have I missed something glaringly obvious.
Yes, both are independent of the network layer protocol which operates beneath them (which in this case is IP)
The difference is that you can filter icmp seperately from tcp to give you some sort of granularity with your acl policy. This is important in that if you deny icmp traffic to a specific segment of your network (or in from your serial interface for the whole thing) you are still vulnerable to the publicized attacks which exploit vulnerabilities inherent in TCP.
Yep. Or just a straight out 'lets spew packet' floods.
The whole point for this discussion was that you should be a responsible network administrator and understand the trouble you could cause the people you are connected to. Once you understand that, you can take use the facilities that your vendor provides to limit the damage so to speak.
Yep. I thought it was also just on generic spoofing/flooding and their impact on *EVERYONE*. Disabling icmp broadcasts on the router interfaces is fine, but later on someone will come up with something new, take advantage of (mis)configurations of networks, start blowing people's connections away, blah, blah, blah. I for one am for the access lists on interfaces to stop DOWNstreams abusing your network to flood others. Even if its just transit (no packet blooms like in smurf). Quite a bit of the current internet infrastructure is based upon trusting everyone who is connected to the network. And I for one certainly dont trust everyone on the network. Tightening up on things like this now would save a lot of pain and hassles later on. Adrian