Re: [nsp] icmp blocking

From: dre (andre@operations.net)
Date: Thu Mar 28 2002 - 05:52:22 EST


need some input for ideas on icmp filtering...
and filtering in general...

for non-backbones (idc's and other end points) -

inbound acl at edge:
deny or permit echo-request?
is there any undesired effect to filtering squench, timex, or unreachables here?
any undersired effect to filtering echo-reply?
rate limit or filter?

outbound acl at edge:
allow packet-too-bigs (very clear) even if denying other unreachables
deny or permit echo-replies?
deny or permit host unreachables?
deny or permit timex?
rate limit or filter?

other strange things:
what is 'icmp any any traceroute'? traceroute uses udp and icmp/timex, no?
on msfc's... must have 'no ip unreachables' on interfaces?
on gsr's e0/1/2... don't use outbound acl's?

where do you do acl's? at the edge only? in the core, also?
at an idc, does this change? cisco bcp for idc stuff
recently shows using msfc or pfc for acl's instead of the
border routers. also shown with full bgp tables on msfc's.
this is in the layer 3 core of the idc (not the edge). makes
sense, but what do you do at the edge then? where do you
implement urpf when gsr gig interfaces won't take it? on
the msfc's? i would guess the answer is yes.

use of 'tcp any any established'? use of reflexive acl's?
how to prevent ack/fin/urg/psh signature backdoors? or udp
sourced ports? and worse icmp or igmp based covert channels?

there are like 2 papers on cco about access-lists besides
the ios docs. one is good coverage of cat6k pfc/msfc acl's,
and the other is about rfc1858 but doesn't cover rfc3128.
isp essentials doesn't really cover this. idc srnd's don't
cover this in-depth like i'd like to see. need more ideas.

-dre

On Thu, Mar 28, 2002 at 12:18:37AM -0800, Barry Raveendran Greene wrote:
>
> You can add more resistance to a ICMP Unreachable overload on the router
> with the ICMP Unreachable Rate-Limit. Default is 1 unreachable reply every
> 500ms (which is the IOS default). We do not have a BCP, but most people who
> are cranking this up is setting it at 1 ever 2000ms.
>
> ip icmp rate-limit unreachable 2000
> ip icmp rate-limit unreachable df 2000
>
> > -----Original Message-----
> > From: Stephen Gill [mailto:gillsr@yahoo.com]
> > Sent: Thursday, March 28, 2002 12:59 AM
> > To: 'fingers'; 'Birsen Ozturk'
> > Cc: cisco-nsp@puck.nether.net
> > Subject: RE: [nsp] icmp blocking
> >
> >
> > Kudos to Rob Thomas for addressing this in a quick how-to guide, as I
> > think it will answer your question...
> > http://www.enteract.com/~robt/Docs/Articles/icmp-messages.html
> >
> > You are better off allowing a specific subset of ICMP and rate limiting
> > it. This way you have the best of both worlds, and you won't break
> > things too badly like source quench, path MTU, unreachable messages,
> > etc...
> >
> > -- steve
> >
> > -----Original Message-----
> > From: fingers [mailto:fingers@fingers.co.za]
> > Sent: Wednesday, March 27, 2002 11:39 PM
> > To: Birsen Ozturk
> > Cc: cisco-nsp@puck.nether.net
> > Subject: Re: [nsp] icmp blocking
> >
> > Hi
> >
> > > I was looking for information about denying ICMP packets accross the
> > > backbone. What is the efficient/reccomended way of doing it? What are
> > the
> > > drawbacks and maybe workarounds? I feel like if the backbone devices
> > are
> > > open to ICMP they are vulnerable to DoS attacks. Any
> > idea/reccomendation
> > > is welcome.
> >
> > You may wish to think about rate-limiting it instead of denying it
> > outright.
> >
> > Regards
> >
> > --Rob
> >
> >
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:39 EDT