Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9150
Views
0
Helpful
4
Replies

Ping of Death Protection options

Go to solution
buntschu
Level 1
Level 1

‎07-24-2006 04:41 AM - edited ‎03-10-2019 03:07 AM

Hi,

I would to protect my network against ping of death attack. The IOS IDS allow the detection of this kind of traffic, but does it drop the ICMP packet ? If I don't have any IOS FW feature set, what are my options to protect my router, is this ACL enough:

access-list 101 deny icmp any any fragment

Thanks for your help and comments !!

Francois

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hemendoz
Cisco Employee
Cisco Employee
In response to buntschu

‎07-25-2006 02:03 AM

Hello Francois,

You asked "Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?". Answer appears so. Per Configuring Cisco IOS Firewall Intrusion Detection System

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

2154 Ping of Death Attack (Attack, Atomic)

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and

( IP offset * 8 ) + (IP data length) > 65535

In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

Hope that helps! If so, please rate.

Thanks

View solution in original post

0 Helpful
4 Replies 4

Go to solution
a.kiprawih
Level 7
Level 7

‎07-24-2006 04:34 PM

Hi Francois,

Alternatively, you can use committed access rate (CAR) to control incoming ping@icmp into your network on the perimeter/internet router.

IF this suite your environment, try configure CAR on your router. CAR is also useful to address DoS attacks.

Look at the example on "Rate Limit ICMP/Smurf". Others are useful as well.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a00800fb50a.shtml

Rgds,

AK

0 Helpful

Go to solution
buntschu
Level 1
Level 1
In response to a.kiprawih

‎07-25-2006 12:37 AM

Hi,

CAR is also a nice alternative to solve this issue. Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?

Thanks

Francois

0 Helpful

Go to solution
hemendoz
Cisco Employee
Cisco Employee
In response to buntschu

‎07-25-2006 02:03 AM

Hello Francois,

You asked "Could somebody confirm me that the IOS IDS is also able to prevent such attach by "dropping" ICMP Ping of Death packets ?". Answer appears so. Per Configuring Cisco IOS Firewall Intrusion Detection System

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfids.htm

2154 Ping of Death Attack (Attack, Atomic)

Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and

( IP offset * 8 ) + (IP data length) > 65535

In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.

Hope that helps! If so, please rate.

Thanks

0 Helpful

Go to solution
buntschu
Level 1
Level 1
In response to hemendoz

‎07-25-2006 02:55 AM

Hi,

Thanks for your reply, this is what I was looking for.

Regards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card