Loadsa ICMP...

Edward Henigin ed at texas.net
Wed Aug 13 19:00:00 UTC 1997

On Wed, Aug 13, 1997 at 06:46:55PM +0100, Lyndon Levesley said:


> Aug 13 18:43:59 permitted icmp -> (8/0), 8722 packets

	8/0 is 'echo request', according to trusty old
/usr/include/net_inet/ip_icmp.h (Solaris 2.5.1)

> [ some others snipped out ]
> Now if only Cisco's let you obtain a "src_hardware_addr" :(

	doesn't the 'log-input' keyword log the input interface?  at
the end of the access-list rule.

	or, copy the access-list to another access-list number, and
use different access-list numbers on different interfaces.

	(if you don't need the input interface at all, but the source
host, then some type of packet sniffing is the only way to go.. sorry
I can't help..)

	And here's something that I wrote up, it's an idea to stop
the flood... 

	Policy routing is fast switched in the right IOS revs (I
think starting at 11.2(6)F).  Your config would look something like

access-list 101 permit icmp any any echo-reply
route-map KILLICMP permit 10
 match ip-address 101
 set interface Null0
interface hssi 5/1/0
 ip policy route-map KILLICMP
 ip route-cache policy


	Since denying on an ACL is process switched, and kills your router,
the goal is to make your router fast-switch the packet to /dev/null...
aka Null0.

	Thanks to Barry Raveendran Greene <bgreene at cisco.com> for this
one.  I don't know for sure if it works, as I haven't had a chance
to try it, but if it does, let me know...

More information about the NANOG mailing list