[c-nsp] blocking icmp type 3 code 3
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 18 04:37:30 EDT 2013
On 07/17/2013 08:22 PM, Aaron wrote:
> Are there well-known attacks that produce a mass amount of icmp type 3
> (destination unreachable) code 3 (port unreachable) ?
>
As you suggest, spoofing which is blocked at the target with some kind
of ACL/filter that is rejecting rather than dropping.
If you can set up a SPAN, you can examine the embedded IP/L4 header in
the ICMP error message and get a better idea of the root cause. We've
been getting backscatter from source-spoofed DNS attacks (not reflection
attacks, although we've been getting those as well) of a very peculiar
nature for a few weeks now. There's a lot of odd stuff going on at the
moment.
> How to mitigate / combat this ?
With difficulty. Really, whoever is returning the ICMP is misbehaving;
they may be being DDoSed, but returning an ICMP error in response to the
DDoS just compounds the problem for yet more innocent parties.
You could contact the source of the ICMP, ask them to drop rather than
error the traffic, or rate-limit the ICMP generation (shame router
platforms aren't smarter in this respect).
>
>
>
> What if I acl deny icmp 3 3 inbound ? downsides ?
Well, yes, you'll break ICMP error propagation for legitimate cases. If
you must do this, consider rate-limiting them, or block only the people
who are spamming you with 3/3.
What kind of traffic levels are you seeing? Because if it's e.e.
100-1000 pps, another strategy is "ignore it".
More information about the cisco-nsp
mailing list