You ever try to ping something and you get the reply "host unreachable" so you wonder, how am I getting a reply if it is unreachable?
Well the reply is actually from the router, and the host is, as it says, unreachable. The router can't forward the ping, so it sends you a friendly reply. You can turn this off with the command no ip unreachables, and the router will silently let your packet drop and your ping time-out.
On a similar note, one major DOS attack is to send a flood of packets to unreachable address(es), causing the router to reply to each of these requests with an ip unreachable. If you want to still have the unreachables, you can rate limit responses. For instance:
Router(config)# ip icmp rate-limit unreachable 1000
This will limit the router to one reply per second.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment