Rather than denying ICMP, it maybe better to rate limit the packets, you
still have the icmp capabilities along with reducing the risk of DOS
attacks.
Try:
Router(config)#int Ethernet 0
Router(config-if)#no ip unreachables
Router(config)#ip icmp rate-limit unreachable n (where n is the delay in
msecs between consecutive packets)
See page 93/94 on the Cisco ISP Essentials
http://www.cisco.com/public/cons/isp/essentials/ 2-9
Andy.
-----Original Message-----
From: Birsen Ozturk [mailto:birsen.ozturk@is.net.tr]
Sent: 28 March 2002 14:47
To: cisco-nsp@puck.nether.net
Subject: [nsp] icmp blocking
Hello List
I was looking for information about denying ICMP packets accross the
backbone. What is the efficient/reccomended way of doing it? What are
the
drawbacks and maybe workarounds? I feel like if the backbone devices are
open to ICMP they are vulnerable to DoS attacks. Any idea/reccomendation
is welcome.
Birsen
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:39 EDT