AFAIK the main ICMP usage in DoS attacks are (spoofed source address) echo requests to a (remote subnet) broadcast addr to build up amplification (smurfing). I think it's best to try to see restricting ICMP usage as a small part in the larger security framework which consists of (not having those ancient services running in the first place) sysctl values, address filtering, rate limiting and blocking or restricting some ICMP type usage (traceroute (TTL), redirection). Please also note ICMP is an error reporting protocol so blocking everything definately isn't a Good Thing to do.
For more, please see the 1st thread in this forum, post #2 under DoS and DDoS and also look at Robert Graham's Firewall FAQ as it has a good piece of information on ICMP.
HTH.
|