Loadsa ICMP...
Edward Henigin
ed at texas.net
Wed Aug 13 19:00:00 UTC 1997
On Wed, Aug 13, 1997 at 06:46:55PM +0100, Lyndon Levesley said:
>
[...]
> Aug 13 18:43:59 permitted icmp 149.112.125.54 -> 192.41.177.255 (8/0), 8722 packets
8/0 is 'echo request', according to trusty old
/usr/include/net_inet/ip_icmp.h (Solaris 2.5.1)
>
> [ some others snipped out ]
>
> Now if only Cisco's let you obtain a "src_hardware_addr" :(
doesn't the 'log-input' keyword log the input interface? at
the end of the access-list rule.
or, copy the access-list to another access-list number, and
use different access-list numbers on different interfaces.
(if you don't need the input interface at all, but the source
host, then some type of packet sniffing is the only way to go.. sorry
I can't help..)
And here's something that I wrote up, it's an idea to stop
the flood...
"
Policy routing is fast switched in the right IOS revs (I
think starting at 11.2(6)F). Your config would look something like
this:
!
access-list 101 permit icmp any any echo-reply
!
route-map KILLICMP permit 10
match ip-address 101
set interface Null0
!
!
interface hssi 5/1/0
ip policy route-map KILLICMP
ip route-cache policy
!
"
Since denying on an ACL is process switched, and kills your router,
the goal is to make your router fast-switch the packet to /dev/null...
aka Null0.
Thanks to Barry Raveendran Greene <bgreene at cisco.com> for this
one. I don't know for sure if it works, as I haven't had a chance
to try it, but if it does, let me know...
More information about the NANOG
mailing list