[c-nsp] blocking icmp type 3 code 3 [no, but type 3 code 4 yes!]
Giles Coochey
giles at coochey.net
Thu Jul 18 05:07:24 EDT 2013
On 17/07/2013 20:22, Aaron wrote:
> Are there well-known attacks that produce a mass amount of icmp type 3
> (destination unreachable) code 3 (port unreachable) ?
>
>
>
> I've seen things like this in netflow lately. NO prior communications from
> my host(s) BUT I see the response of icmp 3 3. Leads me to believe someone
> is spoofing as coming from my network and thus causing icmp 3 3 's to come
> back my way.
>
>
>
> How to mitigate / combat this ?
>
>
>
> What if I acl deny icmp 3 3 inbound ? downsides ?
>
>
>
> Aaron
>
>
I have not seen icmp 3 3's, but I have seen icmp 3 4s (Fragmentation
Needed but DF bit set).
It turns out that there are some devices out there that if they receive
a icmp 3 4, they actually send out the same packet again without
reducing the payload size, net result is a self-inflicted DDoS.
Limelight networks appeared to have hosts exhibiting this problem until
about March or April this year, but I've seen the problem resurface more
recently with a couple of Microsoft hosts:
213.199.149.133 and 213.199.149.227
The problem only manifests itself if you have a (usually intermediate)
hop with a lower MTU and hosts at the remote end that don't do stuff
like PMTU discovery (e.g. Windows XP).
--
Regards,
Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at coochey.net
More information about the cisco-nsp
mailing list