[unisog] Are cisco router VLAN ACL's stateful like a PIX?
michael.holstein at csuohio.edu
Tue Feb 1 22:08:14 GMT 2005
> Blocking ICMP between VLANs has stopped RPC viruses, that's a pretty
> neat trick. You must have your voodoo filters turned up to 'more magic'.
Nope .. earlier versions of (was it Blaster or Nachi .. I forget?) would
ping-sweep a network so as not to "waste" tcp packets on dead hosts
(because NT has a limit on the number of 'half-open' tcp sockets). This
in turn generated massive amounts of ICMP which many of us reflexively
blocked -- and never found good cause to reactivate.
Being more specific than "block icmp any any" (Cisco parlance) is wise
for reasons pointed out earlier (like permitting type 3 code 4). But as
a general rule, turning off most of it stops several types of
"amplification" DDOS attacks (well, that's only really true if your
upstream will play ball with you on ACLs for your PVC).
(my $0.02) ..
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog