[nsp] Filter based forwarding

Gert Doering gert at greenie.muc.de
Thu Nov 6 03:28:02 EST 2003


Hi,

On Thu, Nov 06, 2003 at 08:28:29AM +0800, micky wrote:
> I just don't know how to tell nachi-worm and normal icmp
> How do I differentiate difference between them ?

Nachi packets have the Evil Bit set - see RFC 3514.

gert

PS: read the RFC, it's worth it.  But of course it's an April's Fool's
joke.  There is nothing special about Nachi ICMPs, except that they are
always 92 byte in size - and it's perfectly legal for an ICMP ping to be
92 byte in size, which makes it very hard to do Nachi filtering without
hurting legitimate use.
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list