Both redirects and unreachables can be used to implement a Denial of Service attack. We allow internally for troubleshooting but disallow both transmission to and reception from the global internet. Both to prevent DDoS from compromised hosts and from external hosts with hostile intent.
I really want to go back to the days when it was safe and acceptable to run a completely open network. Right now the internet is becoming more and more like a no-man's land. Leonardo Gama Souza wrote: > as for the interface stuff... > > >> Per Interface Config >> >> no ip redirects >> no ip unreachables >> > > personally, I don't like those two. what's wrong about a router > _sending_ icmp redirects or (even more important/useful) icmp > unreachables? > keep in mind those commands are not about accepting those (but, as said: > sending them). > > > [Leonardo Gama Souza] > > > Personally I think it's much better rate-limit 'ip unreachables' than > block them. > Probably Cisco doesn't change these silly defaults because they won't > have selling points for tools such as SDM. :) > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
