NOTE: Cisco IOS Release 12.0 and later now has the no ip directed-broadcast
feature enabled by default, which prevents this type of ICMP attack.
Refer to Figure 5-12 for the network topology upon which the following con?¬?gurations are
based.
Edge(config-if)#exit Returns to global
con?¬?guration mode
Edge(config)#
Edge(config)#access-list 105 deny ip any host
10.2.1.255 log
Denies any packet with a
destination address of
10.2.1.255
Edge(config)#access-list 105 permit ip any
10.2.1.0 0.0.0.255 log
Permits packets to any
other destination address
on the 10.2.1.0 network,
and logs any instance in
which this statement was
used
Edge(config)#access-list 106 deny ip any host
10.1.1.255 log
Denies any a packet with a
destination address of
10.1.1.255
Edge(config)#access-list 106 permit ip any
10.1.1.0 0.0.0.255 log
Permits packets to any
other destination address
on the 10.1.1.0 network,
and logs any instance in
which this statement was
used
Edge(config)#interface fastethernet 0/0 Moves to interface
con?¬?guration mode
110 Using ACLs to Filter Network Traf?¬?c to Mitigate Threats
Filtering ICMP Messages: Inbound
There are several Internet Control Message Protocol (ICMP) message types that attackers
can use against your network.
Pages:
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104