North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Loadsa ICMP...

  • From: Edward Henigin
  • Date: Wed Aug 13 15:20:43 1997

On Wed, Aug 13, 1997 at 06:46:55PM +0100, Lyndon Levesley said:


> Aug 13 18:43:59 permitted icmp -> (8/0), 8722 packets

	8/0 is 'echo request', according to trusty old
/usr/include/net_inet/ip_icmp.h (Solaris 2.5.1)

> [ some others snipped out ]
> Now if only Cisco's let you obtain a "src_hardware_addr" :(

	doesn't the 'log-input' keyword log the input interface?  at
the end of the access-list rule.

	or, copy the access-list to another access-list number, and
use different access-list numbers on different interfaces.

	(if you don't need the input interface at all, but the source
host, then some type of packet sniffing is the only way to go.. sorry
I can't help..)

	And here's something that I wrote up, it's an idea to stop
the flood... 

	Policy routing is fast switched in the right IOS revs (I
think starting at 11.2(6)F).  Your config would look something like

access-list 101 permit icmp any any echo-reply
route-map KILLICMP permit 10
 match ip-address 101
 set interface Null0
interface hssi 5/1/0
 ip policy route-map KILLICMP
 ip route-cache policy


	Since denying on an ACL is process switched, and kills your router,
the goal is to make your router fast-switch the packet to /dev/null...
aka Null0.

	Thanks to Barry Raveendran Greene <[email protected]> for this
one.  I don't know for sure if it works, as I haven't had a chance
to try it, but if it does, let me know...