No IP Unreachables

For a long time, Cisco routers had the configuration capability to turn off ICMP Unreachable response. This was done with the interface command no ip unreachables. Whether this is done is an operational decision of the ISP—some do and some do not. The router requirements RFC (RFC1812) says that each device should respond with ICMP Unreachables, but when a network operator experiences an attack against a router, RFC niceties get left behind.

What can be recommended or considered is that no ip unreachables be applied to the special interfaces used on ISP routers: Loopback and Null0. For example, many ISPs use static routes to Null0 for their entire CIDR block to lock up their BGP advertisements. This Null0 route can be exploited by an ICMP Unreachable attack on the part of the CIDR block that has yet to be allocated and activated. By default, the router responds with ICMP Unreachable messages (rate limited to one per 500 ms) on the unallocated/activated part of the static to Null0. Turning off ICMP Unreachables prevents this from happening, black-holing the packets at that router.

interface Null0 no ip unreachables

ip route dest-to-drop mask Null0

Was this article helpful?

0 0

Post a comment