From: Chuck Church (ccie8776@rochester.rr.com)
Date: Mon Feb 24 2003 - 16:14:59 GMT-3
Create (or add to) an ACL on the outside interface. At the top, list the
most common types of ICMP as permit statements, then all ICMP, and then your
other lines or a generic permit all at the end. Once you see what kind of
ICMP is getting the most hits (via 'sh access-list), change the ACL for that
type so that it logs it. You should be able to find out the source pretty
quickly.
Chuck Church
CCIE #8776, MCNE, MCSE
----- Original Message -----
From: "Tony Kwok" <sykwok8@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Monday, February 24, 2003 10:14 AM
Subject: Question about the ICMP attack
> Dear all,
>
> I have the following case. Pls suggest the solution.
>
> Supposing that one of my network interface is
> attacking by ICMP and I would like to pick those guys
> out by knowing their address. In addition, is there
> any method to identity which one is the most frequency
> attack to this interface?
>
> In my idea, I think the Netflow will be suitable
> solution. But I find netflow cannot show up the path
> for the ICMP and also it need to export the data out
> to other server. Pls correct me if I have any
> overlook. Thx.
>
> Regards,
> Tony
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Tax Center - forms, calculators, tips, more
> http://taxes.yahoo.com/
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:33 GMT-3