Hello
Disabling unreachables in conjunction with the rtrs default icmp rate limiting is deemed to help negate against DOS attacks.
Icmp’s unreachable packets are used when a destination to a specific network, host, protocol, or port is unreachable.
The router or host may send a destination unreachable packet to inform its source of the ip packets destinations unavailability.
You can negate ALL destination unreachables packets on a routed interface by disabling them, and as such the source wouldn’t even be notified of the unreachable network. host, port etc…
sh ip int x/x | in ICMP
ICMP redirects are always sent
ICMP unreachables are always sent
Int x/x
no ip unreacbales
sh ip int x/x | in ICMP
ICMP redirects are never sent
ICMP unreachables are never sent
As stated there can occurrences when the ip packet needs to be fragmented to be forwarded by the router but the DF bit in the packet is set then the source would then receive a destination unreachable message from the router if icmp unreachable are disabled and the packet won’t be sent
However my understanding is you can specify what type of unreachables are negated by specifying them in the form of a access-list.
access-list 100 deny icmp any any ?
<0-255> ICMP message type
administratively-prohibited Administratively prohibited
alternate-address Alternate address
conversion-error Datagram conversion
dod-host-prohibited Host prohibited
dod-net-prohibited Net prohibited
dscp Match packets with given dscp value
echo Echo (ping)
echo-reply Echo reply
fragments Check non-initial fragments
general-parameter-problem Parameter problem
host-isolated Host isolated
host-precedence-unreachable Host unreachable for precedence
host-redirect Host redirect
host-tos-redirect Host redirect for TOS
host-tos-unreachable Host unreachable for TOS
host-unknown Host unknown
host-unreachable Host unreachable
information-reply Information replies
information-request Information requests
log Log matches against this entry
log-input Log matches against this entry, including input
interface
mask-reply Mask replies
mask-request Mask requests
mobile-redirect Mobile host redirect
net-redirect Network redirect
net-tos-redirect Net redirect for TOS
net-tos-unreachable Network unreachable for TOS
net-unreachable Net unreachable
network-unknown Network unknown
no-room-for-option Parameter required but no room
option-missing Parameter required but not present
packet-too-big Fragmentation needed and DF set
parameter-problem All parameter problems
port-unreachable Port unreachable
precedence Match packets with given precedence value
precedence-unreachable Precedence cutoff
protocol-unreachable Protocol unreachable
reassembly-timeout Reassembly timeout
redirect All redirects
router-advertisement Router discovery advertisements
router-solicitation Router discovery solicitations
source-quench Source quenches
source-route-failed Source route failed
time-exceeded All time exceededs
time-range Specify a time-range
timestamp-reply Timestamp replies
timestamp-request Timestamp requests
tos Match packets with given TOS value
traceroute Traceroute
ttl-exceeded TTL exceeded
unreachable All unreachables
ICMP type 3 packets have many codes associated with them but I would say code 0 -1 are the most common messages, please review the following rfc to obtain a better understanding
RFC 792
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
