[unisog] Necessary ICMP traffic and the SANS/FBI top 20
jtk at depaul.edu
Mon Jun 16 16:48:07 GMT 2003
On Mon, 16 Jun 2003 09:25:47 -0500
"Mayne, Jim" <J.Mayne at tcu.edu> wrote:
> Given all the other ICMP messages available to intruders I am curious
> if a better approach would not be to allow only fragmentation needed
> (3-4) and source quench in/out of your network. It seems that any
Source quench is ineffective for what its intended purpose was. Its
generally considered deprecated in use.
> others should only be passing between nodes inside your network.
> Is this not true?
I recommend allowing all of the following ICMP message types in and out,
then discard those not shown:
echo reply (0)
destination unreachable (4)
time exceeded (11)
parameter problem (12)
If you can manage it (be careful!), you could rate limit ICMP traffic
also. I'd recommend putting ICMP rate limits at the edge and the
border. Make the border something larger than whatever the edge limit
is. For a typical 10/100 Mb/s /24 subnet, you can probably rate limit
ICMP to about 2 Mb/s, which would typically be way more than enough.
Note the warning above about rate limiting. Rate limiting is a hack and
you should understand exactly what may break if you do this.
If you're concerned about people mapping hosts based on the ICMP
messages above, you could also do additional filtering at the host
More information about the unisog