[c-nsp] blocking icmp type 3 code 3

Phil Mayers p.mayers at imperial.ac.uk
Thu Jul 18 04:37:30 EDT 2013

On 07/17/2013 08:22 PM, Aaron wrote:
> Are there well-known attacks that produce a mass amount of icmp type 3
> (destination unreachable) code 3 (port unreachable) ?

As you suggest, spoofing which is blocked at the target with some kind 
of ACL/filter that is rejecting rather than dropping.

If you can set up a SPAN, you can examine the embedded IP/L4 header in 
the ICMP error message and get a better idea of the root cause. We've 
been getting backscatter from source-spoofed DNS attacks (not reflection 
attacks, although we've been getting those as well) of a very peculiar 
nature for a few weeks now. There's a lot of odd stuff going on at the 

> How to mitigate / combat this ?

With difficulty. Really, whoever is returning the ICMP is misbehaving; 
they may be being DDoSed, but returning an ICMP error in response to the 
DDoS just compounds the problem for yet more innocent parties.

You could contact the source of the ICMP, ask them to drop rather than 
error the traffic, or rate-limit the ICMP generation (shame router 
platforms aren't smarter in this respect).

> What if I acl deny icmp 3 3 inbound ?  downsides ?

Well, yes, you'll break ICMP error propagation for legitimate cases. If 
you must do this, consider rate-limiting them, or block only the people 
who are spamming you with 3/3.

What kind of traffic levels are you seeing? Because if it's e.e. 
100-1000 pps, another strategy is "ignore it".

More information about the cisco-nsp mailing list