How do you deal with ICMP packets?
I've read about it and it seems that rate-limiting is best for ICMP packets, because in the past it was quite easy to DoS different OSes with ICMP packets. Blocking is another option, but it probably isn't the most RFC compliant way.
I don't know how much should I rate-limit them and where. ICMP rate-limiting on ingress only should prevent DoS, but may be not enough to prevent sending large number of ICMP packets (packet reflection), because they may be generated by OS rejecting UDP packets. On the other hand rate-limiting on egress only does not prevent against DoS and I can just not reject UDP packets and drop them instead. I lean towards rate-limiting on both ingress and egress.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
|