You can add more resistance to a ICMP Unreachable overload on the router
with the ICMP Unreachable Rate-Limit. Default is 1 unreachable reply every
500ms (which is the IOS default). We do not have a BCP, but most people who
are cranking this up is setting it at 1 ever 2000ms.
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable df 2000
> -----Original Message-----
> From: Stephen Gill [mailto:gillsr@yahoo.com]
> Sent: Thursday, March 28, 2002 12:59 AM
> To: 'fingers'; 'Birsen Ozturk'
> Cc: cisco-nsp@puck.nether.net
> Subject: RE: [nsp] icmp blocking
>
>
> Kudos to Rob Thomas for addressing this in a quick how-to guide, as I
> think it will answer your question...
> http://www.enteract.com/~robt/Docs/Articles/icmp-messages.html
>
> You are better off allowing a specific subset of ICMP and rate limiting
> it. This way you have the best of both worlds, and you won't break
> things too badly like source quench, path MTU, unreachable messages,
> etc...
>
> -- steve
>
> -----Original Message-----
> From: fingers [mailto:fingers@fingers.co.za]
> Sent: Wednesday, March 27, 2002 11:39 PM
> To: Birsen Ozturk
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] icmp blocking
>
> Hi
>
> > I was looking for information about denying ICMP packets accross the
> > backbone. What is the efficient/reccomended way of doing it? What are
> the
> > drawbacks and maybe workarounds? I feel like if the backbone devices
> are
> > open to ICMP they are vulnerable to DoS attacks. Any
> idea/reccomendation
> > is welcome.
>
> You may wish to think about rate-limiting it instead of denying it
> outright.
>
> Regards
>
> --Rob
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT