Restricting ICMP Traffic with ACLs

Unfortunately, hackers can use a number of ICMP message types to attack a network. Many legitimate ICMP messages exist, so deciding what to permit and what to deny can be challenging. For instance, various management applications use ICMP messages, and network management uses ICMP messages automatically generated by the router.

One favorite of hackers are ICMP echo packets. Hackers use ICMP echo packets to discover subnets and hosts on the protected network as well as to generate DoS floods. Hackers can also use ICMP redirect messages to alter host routing tables. Because hackers can use both ICMP echo and redirect messages maliciously, the router should block them inbound.

Example shows ACL 112. This ACL statement is used to block all ICMP echo and redirect messages.

For even greater security, this ACL also blocks ICMP mask request messages. Note that this ACL allows all other ICMP messages inbound to the 12.2.1.0/24 network.

The following ICMP messages are required for proper network operation; they should be allowed outbound:


■ Echo allows users to ping external hosts.
■ Parameter problem tells the host about packet header problems.
■ Packet too big is required for packet maximum transmission unit (MTU) discovery.
■ Source quench throttles down traffic as needed.


As a best practice, all other ICMP message types should be blocked outbound. Example shows how you can use an ACL to properly handle ICMP messages.

ACL 114 permits all the required ICMP messages outbound to the e0/1 interface while denying all others.


See Also:






biOos