RE: [nsp] icmp blocking

• Next message: dre: "Re: [nsp] icmp blocking"
• Previous message: Barry Raveendran Greene: "RE: [nsp] icmp blocking"
• Maybe in reply to: Birsen Ozturk: "[nsp] icmp blocking"
• Next in thread: Shi, Ning: "RE: [nsp] icmp blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

Rather than denying ICMP, it maybe better to rate limit the packets, you
still have the icmp capabilities along with reducing the risk of DOS
attacks.

Try:

Router(config)#int Ethernet 0
Router(config-if)#no ip unreachables

Router(config)#ip icmp rate-limit unreachable n (where n is the delay in
msecs between consecutive packets)

See page 93/94 on the Cisco ISP Essentials
http://www.cisco.com/public/cons/isp/essentials/ 2-9

Andy.

-----Original Message-----
From: Birsen Ozturk [mailto:birsen.ozturk@is.net.tr]
Sent: 28 March 2002 14:47
To: cisco-nsp@puck.nether.net
Subject: [nsp] icmp blocking

Hello List

I was looking for information about denying ICMP packets accross the
backbone. What is the efficient/reccomended way of doing it? What are
the
drawbacks and maybe workarounds? I feel like if the backbone devices are
open to ICMP they are vulnerable to DoS attacks. Any idea/reccomendation
is welcome.

Birsen

• Next message: dre: "Re: [nsp] icmp blocking"
• Previous message: Barry Raveendran Greene: "RE: [nsp] icmp blocking"
• Maybe in reply to: Birsen Ozturk: "[nsp] icmp blocking"
• Next in thread: Shi, Ning: "RE: [nsp] icmp blocking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT