[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)

Scott McGrath mcgrath at fas.harvard.edu
Mon Mar 24 09:14:24 EDT 2008


Both redirects and unreachables can be used to implement a Denial of 
Service attack.    We allow internally for troubleshooting but disallow 
both transmission to and reception from the global internet.    Both to 
prevent DDoS from compromised hosts and from external hosts with hostile 
intent.

I really want to go back to the days when it was safe and acceptable to 
run a completely open network.   Right now the internet is becoming more 
and more like a no-man's land.

Leonardo Gama Souza wrote:
> as for the interface stuff...
>
>   
>> Per Interface Config
>>
>>  no ip redirects
>>  no ip unreachables
>>     
>
> personally, I don't like those two. what's wrong about a router
> _sending_ icmp redirects or (even more important/useful) icmp
> unreachables?
> keep in mind those commands are not about accepting those (but, as said:
> sending them).
>
>
> [Leonardo Gama Souza] >
>
> Personally I think it's much better rate-limit 'ip unreachables' than
> block them.
> Probably Cisco doesn't change these silly defaults because they won't
> have selling points for tools such as SDM. :)
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


More information about the cisco-nsp mailing list