[AusNOG] network security Question
Brad Gould
bradley at internode.com.au
Tue May 20 14:05:41 EST 2014
>From an SP engineer's point of view, blocking ICMP is a pain.
Looking glasses dont have the option of "test with telnet port 80" rather than "ping". Port scanning a customer is a last resort when there are usually easier test cases to find before a change - its better to be a test case than not :)
Brad
-----Original Message-----
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Roland Dobbins
Sent: Tuesday, 20 May 2014 1:13 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] network security Question
On May 20, 2014, at 10:36 AM, Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com> wrote:
> I like the idea of allowing icmp through, make network diagnosis a lot easier, but I don't want to be bomb.
At a minimum, ICMP Type-3/Code-4 is necessary for PMTU-D. Block it, and you will break things.
> What sort of rate limiting do people think is acceptable?
Depends upon your network type, traffic, etc.
> What's acceptable from client to confirm connectivity?
ICMP Echo Request, Echo Reply, and Don't Fragment (Type-3/Code-4).
> I asking as an end user, but I am also curious to know what providers do.
For scanning? Generally, nothing, unless it's so aggressive that it constitutes a DDoS.
<https://app.box.com/s/osk4po8ietn1zrjjmn8b>
----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Equo ne credite, Teucri.
-- Laocoön
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list