Icmp Mask Reply Messages - Cisco ASR 1000 Series Configuration Manual

Configuring IP Services
intervals can be configured for code 4 and all other unreachable destination error messages. However, there
is no method of displaying how many ICMP messages have not been sent.
The ICMP Unreachable Destination Counters feature provides a method to count and display the unsent Type
3 messages. This feature also provides console logging with error messages when there are periods of excessive
rate limiting that would indicate a Denial of Service (DoS) attack against the router.
If the software receives a nonbroadcast packet destined for itself that uses an unknown protocol, it sends an
ICMP protocol unreachable message back to the source. Similarly, if the software receives a packet that it is
unable to deliver to the final destination because it knows of no route to the destination address, it sends an
ICMP host unreachable message to the source. This functionality is enabled by default.
Disable ICMP host unreachable messages whenever possible. ICMP supports IP traffic by relaying information
about paths, routes, and network conditions. These messages can be used by an attacker to gain network
mapping information.
Because the null interface is a packet sink, packets forwarded there will always be discarded and, unless
disabled, will generate host unreachable messages. In that case, if the null interface is being used to block a
Denial-of-Service attack, these messages flood the local network with these messages. Disabling these messages
prevents this situation. In addition, because all blocked packets are forwarded to the null interface, an attacker
receiving host unreachable messages could use those messages to determine Access Control List (ACL)
configuration. If the "null 0 ? interface is configured on your router, disable ICMP host unreachable messages
for discarded packets or packets routed to the null interface.

ICMP Mask Reply Messages

Occasionally, network devices must know the subnet mask for a particular subnetwork in the internetwork.
To obtain this information, such devices can send ICMP mask request messages. ICMP mask reply messages
are sent in reply from devices that have the requested information. The software can respond to ICMP mask
request messages if this function is enabled.
These messages can be used by an attacker to gain network mapping information.
ICMP Redirect Messages
Routes are sometimes less than optimal. For example, it is possible for the router to be forced to resend a
packet through the same interface on which it was received. If the router resends a packet through the same
interface on which it was received, the software sends an ICMP redirect message to the originator of the
packet telling the originator that the router is on a subnet directly connected to the receiving device, and that
it must forward the packet to another system on the same subnet. The software sends an ICMP redirect message
to the originator of the packet because the originating host presumably could have sent that packet to the next
hop without involving this device at all. The redirect message instructs the sender to remove the receiving
device from the route and substitute a specified device representing a more direct path. This functionality is
enabled by default.
In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no
end node will ever send a redirect, and no redirect will ever be traversed more than one network hop. However,
an attacker may violate these rules; some attacks are based on this. Disabling ICMP redirects will cause no
operational impact to the network, and it eliminates this possible method of attack.
IP Application Services Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
ICMP Mask Reply Messages
3