RE: [nsp] icmp blocking

From: Andy Ethelston (aethelston@city-reach.com)
Date: Thu Mar 28 2002 - 04:02:11 EST


Rather than denying ICMP, it maybe better to rate limit the packets, you
still have the icmp capabilities along with reducing the risk of DOS
attacks.

Try:

Router(config)#int Ethernet 0
Router(config-if)#no ip unreachables

Router(config)#ip icmp rate-limit unreachable n (where n is the delay in
msecs between consecutive packets)

See page 93/94 on the Cisco ISP Essentials
http://www.cisco.com/public/cons/isp/essentials/ 2-9

Andy.

-----Original Message-----
From: Birsen Ozturk [mailto:birsen.ozturk@is.net.tr]
Sent: 28 March 2002 14:47
To: cisco-nsp@puck.nether.net
Subject: [nsp] icmp blocking

Hello List

I was looking for information about denying ICMP packets accross the
backbone. What is the efficient/reccomended way of doing it? What are
the
drawbacks and maybe workarounds? I feel like if the backbone devices are
open to ICMP they are vulnerable to DoS attacks. Any idea/reccomendation
is welcome.

Birsen



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:09 EDT