Shaping / policing the ICMP rate is cool...and helps reducing the impact of dDOS attacks...
Filtering is sh.t...
my 2 cents
Christian
-----Original Message-----
From: Pascal Gloor [mailto:[EMAIL PROTECTED]]
Sent: Freitag, 29. August 2003 11:36
To: [EMAIL PROTECTED]
Subject: Re: [swinog] filtering ICMP...
> I don't consider it much harm aslong as icmp type 0,3,4,8,11,12 get
through...
> but you still have the dilemma "should they filter" - I would vote "no",
though
> I see the possibilities and the strength in doing filtering in the core -
it's just
> the lack of trust in the folks that would do the filtering... or say:
those who say
> what should be filtered.
It would be far enough if they would tell us "please consider about
filtering/shaping this/that kind of packet due to this/that reason...".
and filtering this doesnt bring anything against dDoS, once the kiddies will
see ICMP has no effect they'll move to another protocol...
I personally think that by applying this filter, they do not respect they
standart SLA...
Pascal
----------------------------------------------
[EMAIL PROTECTED] Maillist-Archive:
http://www.mail-archive.com/swinog%40swinog.ch/
