Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ping of Death Protection options

Hi,

I would to protect my network against ping of death attack. The IOS IDS allow the detection of this kind of traffic, but does it drop the ICMP packet ? If I don't have any IOS FW feature set, what are my options to protect my router, is this ACL enough:

access-list 101 deny icmp any any fragment

Thanks for your help and comments !!

Francois

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Ping of Death Protection options

Hello Francois,

You asked "Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?". Answer appears so. Per Configuring Cisco IOS Firewall Intrusion Detection System

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

2154 Ping of Death Attack (Attack, Atomic)

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and

( IP offset * 8 ) + (IP data length) > 65535

In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

Hope that helps! If so, please rate.

Thanks

4 REPLIES

Re: Ping of Death Protection options

Hi Francois,

Alternatively, you can use committed access rate (CAR) to control incoming ping@icmp into your network on the perimeter/internet router.

IF this suite your environment, try configure CAR on your router. CAR is also useful to address DoS attacks.

Look at the example on "Rate Limit ICMP/Smurf". Others are useful as well.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml

Rgds,

AK

New Member

Re: Ping of Death Protection options

Hi,

CAR is also a nice alternative to solve this issue. Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?

Thanks

Francois

Cisco Employee

Re: Ping of Death Protection options

Hello Francois,

You asked "Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?". Answer appears so. Per Configuring Cisco IOS Firewall Intrusion Detection System

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

2154 Ping of Death Attack (Attack, Atomic)

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and

( IP offset * 8 ) + (IP data length) > 65535

In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

Hope that helps! If so, please rate.

Thanks

New Member

Re: Ping of Death Protection options

Hi,

Thanks for your reply, this is what I was looking for.

Regards.

3299
Views
0
Helpful
4
Replies
CreatePlease login to create content