found on: http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml#policyrouting
says:
Warning: Microsoft Windows tracert utility uses 92 bytes sized ICMP packets. Using PBR to filter those packets will cause tracert utility not to work.
Nachhi & windows tracert's free...
Roger
Fredy Kuenzler wrote:
Lukas Beeler wrote:
* Fredy Kuenzler <[EMAIL PROTECTED]>:
We seem to experience quite a bit of ICMP DOS attacks. The come along in waves, which makes some devices within our backbone stumble and loosing packets.
DoS, or the well known nacchi worm? (Nacchi uses 92byte Packets exclusively, so it should be easy to sort that out)
Seems to be.
As ICMP should generally not be blocked, I'm thinking about rate limiting it on core routers. Any hints, links, suggestions?
There was a discussion about this Topic just one or two Weeks ago
on the nanog lists.
Hmmm obviously missed it.
Anyway, I installed the Cisco route-map recommendation on all Init Seven backbone doors:
http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml#policyrouting
and we see rather a lot of dropped packets:
r3.tix#sh route-map nachi-worm route-map nachi-worm, permit, sequence 10 Match clauses: ip address (access-lists): 103 length 92 92 Set clauses: interface Null0 Policy routing matches: 96816 packets, 9381166 bytes
(appx measured time 1/2h)
Hope this helped. At least I7 is now nachi-free ;-) F.
---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ .
-- Für weitere Auskünfte stehen wir Ihnen gerne jederzeit zur Verfügung.
Mit freundlichen Grüssen Roger Buchwalder
Internet Online AG Adlikerstr. 290 8105 Regensdorf Switzerland [EMAIL PROTECTED] tel +41 1 871 40 70 fax +41 1 871 40 80
.
---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
