* Fredy Kuenzler <[EMAIL PROTECTED]>:
We seem to experience quite a bit of ICMP DOS attacks. The come along in waves, which makes some devices within our backbone stumble and loosing packets.
DoS, or the well known nacchi worm? (Nacchi uses 92byte Packets exclusively, so it should be easy to sort that out)
Seems to be.
As ICMP should generally not be blocked, I'm thinking about rate limiting it on core routers. Any hints, links, suggestions?
There was a discussion about this Topic just one or two Weeks ago
on the nanog lists.
Hmmm obviously missed it.
Anyway, I installed the Cisco route-map recommendation on all Init Seven backbone doors:
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml#policyrouting
and we see rather a lot of dropped packets:
r3.tix#sh route-map nachi-worm route-map nachi-worm, permit, sequence 10 Match clauses: ip address (access-lists): 103 length 92 92 Set clauses: interface Null0 Policy routing matches: 96816 packets, 9381166 bytes
(appx measured time 1/2h)
Hope this helped. At least I7 is now nachi-free ;-) F.
---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/