<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>jnos here has been getting slammed with icmp ddos/probes/pings
from 52.94.35.0/24 (botnet?) an amazon(?)</p>
<p>subnet...I have icmp echo off, and it still replies to ping
probes, and is responding to the icmp</p>
<p>attack as well...icmp quench is off...shouldn't that be the
default?</p>
<p>"<br>
</p>
<pre style="box-sizing: border-box; font-family: var(--bs-font-monospace); font-size: 0.875em; margin-top: 0px; margin-bottom: 0px; display: block; overflow: auto; white-space: pre-wrap; color: rgb(33, 37, 41); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">7. Recommendation Regarding RFC 1016
[RFC1016] describes an experimental approach to the handling of ICMP
Source Quench messages in hosts that was considered in 1987. Even
though RFC 1016 has never been on the IETF Standards Track, for
clarity and avoidance of doubt we note that the approach described in
[RFC1016] MUST NOT be implemented.
8. Security Considerations
ICMP Source Quench messages could be leveraged for performing blind
throughput-reduction attacks against TCP and similar protocols. This
attack vector, along with possible countermeasures, has been
discussed in great detail in [RFC5927] and [CPNI-TCP]. Silently
ignoring ICMP Source Quench messages, as specified in this document,
eliminates the aforementioned attack vector.
For current TCP implementations, receipt of an ICMP Source Quench
message should not result in security issues because, as noted in
[RFC5927] and [CPNI-TCP], virtually all current versions of popular
TCP implementations already silently ignore ICMP Source Quench
messages. This is also the case for SCTP and DCCP implementations.
Hosts, security gateways, and firewalls MUST silently discard
received ICMP Source Quench packets and SHOULD log such drops as a
security fault with at least minimal details (IP Source Address, IP
Destination Address, ICMP message type, and date/time the packet was
seen)."
</pre>
<br class="Apple-interchange-newline">
<br>
</body>
</html>