Please ntoe that if you have firewall feature enabled (ZBF) still be a problem.
For example check the Cisco ASA:
- When mitigating using:
icmp deny any unreachable outside
icmp deny any time outside
the reduction in load is less than 50% on packets towards the ASA outside IP, but it does not affect the load of packets towards hosts behind the ASA550. On 5515-X it did not prevent 100% CPU on 50k packets per second with type 3 ICMP packets.
We would kindly like to inform you about some interesting results in our experiments with "unassigned" icmp-types
When flooding cisco asa's (a handfull older as well newer models) with "unassigned" icmp type=1, type=2, etc it seems that the asa is computing the "number of connections / sec" differently:
X "normal" ICMP's / sec => X connections / sec
X "unassigned" ICMP's / sec => one single connection !
in other words: DOS-flooding with "unassigned" types is INVISIBLE in the asa connection statistics ;-)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...