Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Rate-limiting on serial interfaces to prevent common DOS attacks
- Thread starter rainman
- Start date
This might have some info:
jevansau99
MIS
rain - from what i understand if you're not using firewall/nat'ting then there are a couple of things you can do. Anyone feel free to correct me if i'm wrong. First, make sure you have "no ip directed-broadcast" conf. on the interface and in global conf specify "no ip source-route" . Also, it is a v. good idea to simply put an Access-list denying any icmp traffic from the outside world or you could configure QoS to put ICMP traffic at the lowest priority.
"access-list 101 permit icmp yourmachine any" (you'll prob. want some admin machines to be able to ping)
"access-list 101 deny icmp any any"
hope this helps.
jason
"access-list 101 permit icmp yourmachine any" (you'll prob. want some admin machines to be able to ping)
"access-list 101 deny icmp any any"
hope this helps.
jason
jevansau99
MIS
almost forgot. don't forget the "no ip redirects" command.
jevansau99
MIS
basically, when ip redirects is enabled, it is allowed to forward received packets back out the interface in which is was received. there are instances where this needs to be done (ie HSRP), but unless you have to, its a bad idea to leave this enabled.
- Status
Similar threads
- Locked
- Question