[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Michael Holstein michael.holstein at csuohio.edu
Tue Feb 1 22:08:14 GMT 2005


> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
> neat trick.  You must have your voodoo filters turned up to 'more magic'.

Nope .. earlier versions of (was it Blaster or Nachi .. I forget?) would 
ping-sweep a network so as not to "waste" tcp packets on dead hosts 
(because NT has a limit on the number of 'half-open' tcp sockets). This 
in turn generated massive amounts of ICMP which many of us reflexively 
blocked -- and never found good cause to reactivate.

Being more specific than "block icmp any any" (Cisco parlance) is wise 
for reasons pointed out earlier (like permitting type 3 code 4). But as 
a general rule, turning off most of it stops several types of 
"amplification" DDOS attacks (well, that's only really true if your 
upstream will play ball with you on ACLs for your PVC).

(my $0.02) ..

Michael Holstein CISSP GCIA
Cleveland State University



More information about the unisog mailing list