06-29-2021 10:51 AM - edited 06-29-2021 02:41 PM
Hi guys,
i just want to share with you my last days experience.
Some lammers were doing ping of death against my router, so my router cpu drive crazy and routeing was dead.
so what i did:
1 be sure you don't have "no ip route cache".... this stuff is for debug, and remove this from you interfaces, but most config that you can find have it! basically with this packets are processed by cpu and not by cef.
2 if cef... your friend. enablig this is another step
3 add this acl and add it to the dialer interface side "in" (for 897 or similar equip, other router find your correct interface)
access-list 105 deny icmp any any echo
access-list 105 deny icmp any any echo-reply
access-list 105 deny udp any any eq echo
access-list 105 deny udp any eq echo any
access-list 105 permit ip any any
to test it do "sh ip access-list 105" and ping the router
10 deny icmp any any echo (89 matches) -> i did one test other 88 is not me....
20 deny icmp any any echo-reply (3 matches) -> even this
30 deny udp any any eq echo
40 deny udp any eq echo any
you will see the matches.
basically the packet are discarded without impacting performance
for other router apply to the right interface and test it!
-------
Also goog to konw for anti-spoofing.
on internal vlan: "ip verify unicast source reachable-via rx allow-self-ping"
on dialer: " ip verify unicast source reachable-via rx allow-default"
then:
ip route 0.0.0.0 255.255.255.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.255.255.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
! ip route 198.18.0.0 255.254.0.0 Null0 -> line removed it is a mistake
i post this to help other guys.
Bye.
p.s.: improvements are welcome guys
06-29-2021 02:25 PM - edited 06-29-2021 02:28 PM
Hello @Luca Pecchiari ,
nice job
yes there are many configuration examples that contain no ip route-cache without explaining the side effects and enabling CEF is mandatory in modern devices.
About the static routes to null0 may I ask about the following entry:
>>ip route 198.18.0.0 255.254.0.0 Null0
Edit:
I see in a looking glass that this prefix does not exist
Best Regards
Giuseppe
06-29-2021 02:41 PM
opps just a mistake! sorry about that
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide