i just want to share with you my last days experience.
Some lammers were doing ping of death against my router, so my router cpu drive crazy and routeing was dead.
so what i did:
1 be sure you don't have "no ip route cache".... this stuff is for debug, and remove this from you interfaces, but most config that you can find have it! basically with this packets are processed by cpu and not by cef.
2 if cef... your friend. enablig this is another step
3 add this acl and add it to the dialer interface side "in" (for 897 or similar equip, other router find your correct interface)
access-list 105 deny icmp any any echo access-list 105 deny icmp any any echo-reply access-list 105 deny udp any any eq echo access-list 105 deny udp any eq echo any
access-list 105 permit ip any any
to test it do "sh ip access-list 105" and ping the router
10 deny icmp any any echo (89 matches) -> i did one test other 88 is not me.... 20 deny icmp any any echo-reply (3 matches) -> even this 30 deny udp any any eq echo 40 deny udp any eq echo any
you will see the matches.
basically the packet are discarded without impacting performance
for other router apply to the right interface and test it!
Also goog to konw for anti-spoofing.
on internal vlan: "ip verify unicast source reachable-via rx allow-self-ping"
on dialer: " ip verify unicast source reachable-via rx allow-default"
ip route 0.0.0.0 255.255.255.0 Null0 ip route 10.0.0.0 255.0.0.0 Null0 ip route 127.0.0.0 255.255.255.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.0.2.0 255.255.255.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ! ip route 198.18.0.0 255.254.0.0 Null0 -> line removed it is a mistake