[c-nsp] blocking icmp type 3 code 3 [no, but type 3 code 4 yes!]

Giles Coochey giles at coochey.net
Thu Jul 18 05:07:24 EDT 2013

On 17/07/2013 20:22, Aaron wrote:
> Are there well-known attacks that produce a mass amount of icmp type 3
> (destination unreachable) code 3 (port unreachable) ?
> I've seen things like this in netflow lately.   NO prior communications from
> my host(s) BUT I see the response of icmp 3 3.  Leads me to believe someone
> is spoofing as coming from my network and thus causing icmp 3 3 's to come
> back my way.
> How to mitigate / combat this ?
> What if I acl deny icmp 3 3 inbound ?  downsides ?
> Aaron
I have not seen icmp 3 3's, but I have seen icmp 3 4s (Fragmentation 
Needed but DF bit set).

It turns out that there are some devices out there that if they receive 
a icmp 3 4, they actually send out the same packet again without 
reducing the payload size, net result is a self-inflicted DDoS.

Limelight networks appeared to have hosts exhibiting this problem until 
about March or April this year, but I've seen the problem resurface more 
recently with a couple of Microsoft hosts: and

The problem only manifests itself if you have a (usually intermediate) 
hop with a lower MTU and hosts at the remote end that don't do stuff 
like PMTU discovery (e.g. Windows XP).


Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
giles at coochey.net

More information about the cisco-nsp mailing list