[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)

Justin Shore justin at justinshore.com
Mon Mar 24 10:55:42 EDT 2008


Enno Rey wrote:
> Hi,
> 
>> Per Interface Config
>>
>>  no ip redirects
>>  no ip unreachables
> 
> personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables?
> keep in mind those commands are not about accepting those (but, as said: sending them).

To more explicitly say what everyone was dancing around, ICMPs are 
classified as "receive" packets which can only be processed switched. 
This leaves a wide open avenue for resource exhaustion attacks.

ICMP can be very useful for troubleshooting and diagnostics.  It is also 
an extremely easy and effective method with which to DoS SPs.  I don't 
agree with blocking it outright, even at the Interner borders, but I do 
agree that much of it can be used maliciously and that it should be 
controlled.  Deny ICMP frags explicitly (otherwise you'll endure 2 CPU 
interrupts).  Permit echo requests and replies to your access edges. 
Permit packet-too-big (for PMTU) and time-exceeded (traceroutes).  Then 
rate-limit it down to a reasonable number.  On your routing devices 
disable/prevent all unnecessary ICMP services and responses.  Rate-limit 
all necessary responses to a reasonable level.  Good info on how to 
accomplish all of this can be had in "Router Security Strategies" Cisco 
Press book and many other resources.


Justin


More information about the cisco-nsp mailing list