[c-nsp] RES: Router security defaults (WAS RE: Proxy ARP -- Todisable, or not to disable..)

Scott McGrath mcgrath at fas.harvard.edu
Mon Mar 24 10:24:58 EDT 2008


We have - trouble is as a university with really big pipes to the 'net  
we are a target and the CoPP and other anti-DOS mechanisms get 
overwhelmed and  become in themselves DoS amplifiers so in the end the 
KISS principle wins again until someone comes up with a really effective 
packet sink for DDoS.   We are looking at the Cisco Guard products along 
these lines but so far nothing works quite as well as a simple ACL deny 
icmp any any as this drops in hardware on the 3BXL with the no 
unreach/redir so it can handle these packets at line rate.   Recall that 
even now the control plane of a 65xx is still only 1 mbit so its 
possible to swamp the box fairly easily.

Fred Reimer wrote:
> Have you looked into implementing control plan policing, or for 6500 SUP720
> platform the hardware rate-limiters, to allow some control traffic, but
> limit the bandwidth?
>
> Thanks,
>
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott McGrath
> Sent: Monday, March 24, 2008 9:14 AM
> To: Leonardo Gama Souza
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] RES: Router security defaults (WAS RE: Proxy ARP --
> Todisable, or not to disable..)
>
> Both redirects and unreachables can be used to implement a Denial of 
> Service attack.    We allow internally for troubleshooting but disallow 
> both transmission to and reception from the global internet.    Both to 
> prevent DDoS from compromised hosts and from external hosts with hostile 
> intent.
>
> I really want to go back to the days when it was safe and acceptable to 
> run a completely open network.   Right now the internet is becoming more 
> and more like a no-man's land.
>
> Leonardo Gama Souza wrote:
>   
>> as for the interface stuff...
>>
>>   
>>     
>>> Per Interface Config
>>>
>>>  no ip redirects
>>>  no ip unreachables
>>>     
>>>       
>> personally, I don't like those two. what's wrong about a router
>> _sending_ icmp redirects or (even more important/useful) icmp
>> unreachables?
>> keep in mind those commands are not about accepting those (but, as said:
>> sending them).
>>
>>
>> [Leonardo Gama Souza] >
>>
>> Personally I think it's much better rate-limit 'ip unreachables' than
>> block them.
>> Probably Cisco doesn't change these silly defaults because they won't
>> have selling points for tools such as SDM. :)
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


More information about the cisco-nsp mailing list