FreeBSD DDoS protection
khatfield at socllc.net
khatfield at socllc.net
Tue Feb 12 17:41:54 UTC 2013
As my response stated filter ICMP except where necessary. I can state coming from a mitigation background that there are ways to safely do it without causing any issues. However, yes, you can still filter ICMP and remain compliant with an example pf rule like:
icmp_types = "{ echoreq, unreach }"
But in real life situations under constant attacks, blocking ICMP can be a large part of keeping businesses online.
If everything was standard and attackers followed the packet/traffic specifications then going by the standard would be no problem. That's not the case and sometimes guidelines have to be situational.
-Kevin
On Feb 12, 2013, at 10:54 AM, "Norbert Aschendorff" <norbert.aschendorff at yahoo.de> wrote:
> In fact, it's specified in RFC1122:
>
>
> 3.2.2.6 Echo Request/Reply: RFC-792
>
> Every host MUST implement an ICMP Echo server function that
> receives Echo Requests and sends corresponding Echo Replies.
>
> I think it implies that the implementation should actually work. :)
>
> --Norbert
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
More information about the freebsd-isp
mailing list