[c-nsp] cisco 7500 UDP attack

Rubens Kuhl Jr. rubensk at gmail.com
Fri Sep 22 12:37:05 EDT 2006


> When a deny entry in an ACL is matched, an ICMP administratively prohibited
> unreachable message is sent back to the source which adds to the CPU pegging
> during a DOS. A slightly better tactic might be to create an ACL with only
> permit statements (and the implicit deny), and use a route map to match on
> that ACL and set the destination interface to null0.

"no ip unreachables" prevents the router from generating ICMP
messages. On IOS versions where policy-routing forces traffic to
process switching, using ACL is much, much better. On current IOS
versions it should be almost equivalent.


Rubens


More information about the cisco-nsp mailing list