06-17-2008 10:06 AM - edited 03-09-2019 08:55 PM
Hi,
Can any body tell me how can Limit ICMP Payload. Like in my network no one can ping will more than 64 Byte. If anybody ping lets say with 100 Byte then the ping will be droped.
Any doc or suggestion would be appreciated.
Regards
Adnan
06-17-2008 12:27 PM
IOS-router(config)#access-list 190 deny icmp any any echo ?
dscp Match packets with given dscp value
log Log matches against this entry
log-input Log matches against this entry, including input interface
option Match packets with given IP Options value
precedence Match packets with given precedence value
time-range Specify a time-range
tos Match packets with given TOS value
I don't see any support for the criteria you wish to match on.
You might want to focus on rate-limiting ICMP (Control Plane Policing, Management Plane Policing), and denying ICMP fragments (perhaps all fragments):
e.g.:
deny tcp any any log fragments
deny udp any any log fragments
deny icmp any any log fragments
If you have implemented IPS, there is bound to be a signature to address unusually large ICMP echo requests (although larger than 100 bytes). Depending on your platform, maybe you have the option of constructing your own signature.
If you were using the Flexible Packet Matching (FPM) feature, that might give you the versatility to match with the specific criteria desired.
06-18-2008 12:26 PM
Hi Michael,
Many many thanks for your feedback and info.
First of all, rate-limit only gives me limiting the frequency (or total bw) of the ICMP - but users will still able to ping with high payload and keep choking my network/server.
Currently in my inside network (of more than 20 sites) we are allowing only echo, echo-reply, packet-too-big and time-exceeded ICMP messages.
Yes I have IPS (4255) where I am getting huge Large_ICMP Alert mainly in my Inside Network (Its in Promiscous Mode). This signatures fires when payload is more than 1024 Bytes. Thats why I need to limit the payload.
Now - I can create a new ICMP signature but I really wonder of what action should I can apply if the signature fires. Is it possible - whether I can apply TCP_RESET type of things?? Would appreciate if you can help me out - of what sort of action can I apply??
FPM is new feature to me. I will check it and then may come to you.
Many Thanks again for your suggestion and information.
Regards
Adnan
06-18-2008 01:17 PM
Rate-limiting was suggested as a "mitigating alternative" given that you seemed concerned about the presence of these packets, which I wouldn't have expected to be frequently observed.
If you have users deliberately pinging with large payloads, perhaps you need to be more selective in your ACLs, as to which sources are permitted to use ping, and/or to which destinations.
With a custom signature you would likely just "drop" the offending ICMP packet. You wouldn't be able to do a reset though, as there is no virtual-connection (i.e.: it's not like TCP).
I've done some reading on Flexible Packet Matching, but have not implemented it, and would not be in a position to advise you on the subject.
Flexible Packet Matching docs:
06-18-2008 10:14 PM
Hi Michael,
I have checked my IPS and try to create Signatures with ICMP. But I wonder what Event Action should I apply. My one is in Promicous mode. Can u pls help me out - give us an idea/doc how can I drop the offending traffic.
Regards
Adnan
06-19-2008 04:16 AM
Dear just create a new signature and define the icmp payload length and actions as well.
Like request block connection or request block host.
Regards,
06-19-2008 07:09 AM
Unfortunately, I don't have access to an IPS 4255, or anything like it.
I've not read the following document, and I'm not sure if the software release is the same as what you have installed, but it might provide the guidance you need:
http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/CLI6_0.pdf
06-20-2008 06:49 AM
The following excerpt from:
http://www.cisco.com/warp/public/cc/pd/iosw/tech/plicy_wp.pdf
... suggests that Policy Based Routing could be used to match (and perhaps route to a Null interface) ICMP packets of a specific length:
" Match Clauses-Defining the Criteria
The IP standard or extended ACLs can be used to establish the match criteria. The standard IP access lists can be used to specify the match criteria for source address; extended access lists can be used to specify the match criteria based on application, protocol type, TOS, and precedence.
The match clause feature has been extended to include matching packet length between specified minimum and maximum values. The network administrator can then use the match length as the criterion that distinguishes ....."
Configuring Policy Based Routing:
http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfpbr.pdf
06-23-2008 04:17 AM
Dear Michael,
Pls look at the following config,
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 110 permit ip any any
route-map name_route_map permit 1156
match ip address 110
match length 512 1024
set interface Null0
I add 110 ACL and the route-map in the Interface. But the icmp traffic (>513 1024<)is not blocking.
Any suggestion?
Regards
Adnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide