07-24-2006 04:41 AM - edited 03-10-2019 03:07 AM
Hi,
I would to protect my network against ping of death attack. The IOS IDS allow the detection of this kind of traffic, but does it drop the ICMP packet ? If I don't have any IOS FW feature set, what are my options to protect my router, is this ACL enough:
access-list 101 deny icmp any any fragment
Thanks for your help and comments !!
Francois
Solved! Go to Solution.
07-25-2006 02:03 AM
Hello Francois,
You asked "Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?". Answer appears so. Per Configuring Cisco IOS Firewall Intrusion Detection System
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm
2154 Ping of Death Attack (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and
( IP offset * 8 ) + (IP data length) > 65535
In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
Hope that helps! If so, please rate.
Thanks
07-24-2006 04:34 PM
Hi Francois,
Alternatively, you can use committed access rate (CAR) to control incoming ping@icmp into your network on the perimeter/internet router.
IF this suite your environment, try configure CAR on your router. CAR is also useful to address DoS attacks.
Look at the example on "Rate Limit ICMP/Smurf". Others are useful as well.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml
Rgds,
AK
07-25-2006 12:37 AM
Hi,
CAR is also a nice alternative to solve this issue. Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?
Thanks
Francois
07-25-2006 02:03 AM
Hello Francois,
You asked "Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?". Answer appears so. Per Configuring Cisco IOS Firewall Intrusion Detection System
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm
2154 Ping of Death Attack (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and
( IP offset * 8 ) + (IP data length) > 65535
In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
Hope that helps! If so, please rate.
Thanks
07-25-2006 02:55 AM
Hi,
Thanks for your reply, this is what I was looking for.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide