On 10/21/2010 08:58 AM, Wade Preston Shearer wrote: > (sorry for the top post with no trim, I'm on a web client) > > Would you recommend not rate-limitingn ping? It's there because it > was recommended to me if I remember correctly, not because I felt > like it should be.
The risk you run is if somebody does flood you with ICMP packets, you might overflow your state table. Defeats the point somewhat. But unless you've got lots of bandwidth, the DDoS is likely to kill you anyway so it might be a moot point. As Stuart said, that's a question you have to answer yourself. I have seen on one occasion where an ICMP rate limiting rule caused all sorts of havoc to my monitoring systems because the replies were getting delayed and/or dropped. Bad stuff. Corey
signature.asc
Description: OpenPGP digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
