[c-nsp] ACL rejecting rather than dropping
Jeff Kell
jeff-kell at utc.edu
Thu May 31 10:15:32 EDT 2007
Vincent De Keyzer wrote:
>> That's what 'normal IOS' does by default, unless you have 'no ip unreach'
>> configured on the ingress interface :-)
> What are the downsides of running "ip unreachable"? It was always presented
> to me as a bad thing...
The usual and customary argument is that it "facilitates reconnaisance" of your network by a hacker.
It also amplifies the effect of a DoS-type attack, where you are returning an unreachable packet for every attack packet you are denying. There are a few "knobs" in IOS to try to prevent this (implicit rate limit on ICMP?) but I don't recall the specifics off the top of my head.
Jeff
More information about the cisco-nsp
mailing list