Hacker News new | past | comments | ask | show | jobs | submit login

ICMP echo isn't amplification, as long as you don't respond to multicast/broadcast addresses. It's still 1:1 reflection, so you probably want to rate limit if it's simple (FreeBSD and Linux come out of the box with sane default rate limits).



It is amplification if you allow the packets through transparently because all the hosts behind your firewall will respond if you send an echo request to the broadcast address.

So you're going to have to do a little bit more configuration than just allow a maximum packet size if you're going to allow ICMP to transit at all you should also limit the allowed set of addresses (you should do that regardless, but echo can be used for amplification requests by virtue of the broadcast feature of the IP protocol). Hence the 'one step away'.

This was known as the 'smurf' attack. Fortunately this is now mostly a thing of the past. But poking holes in your firewall for ICMP is a delicate affair.


Sorry, I had lost the context that it was a network firewall (not a host firewall), and missed the 'one step away' as well.


Ah ok. It was only a one line context switch so that was an easy mistake to make.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: