North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Firewall stateful handling of ICMP packets
Jamie Reid wrote:
Personal view:If every ISP rate limited icmp's on ingress (from customers and net) to some reasonable rate (I use 2Mbps), then you protect the net from attack impacts, have no impact on customers during normal times, and break nothing essential during times of attack (as opposed to, say, SYN rate limiting, which just lowers the bar for an attacker.)
Of course, this assumes that the equipment can do such policing in hardware, or with negligible impact...
Totally filtering ICMP echoes would raise lots of user hackles...