Table of Contents
Advertisement
Chapter 16
Security Audit
Disable IP Unreachables on NULL Interface
OL-4015-08
in the internetwork. ICMP mask reply messages are sent to the device requesting
the information by devices that have the requested information. These messages
can be used by an attacker to gain network mapping information.
The configuration that will be delivered to the router to disable ICMP mask reply
messages is as follows:
no ip mask-reply
This fix can be undone. To learn how, click
Security Audit disables Internet Message Control Protocol (ICMP) host
unreachable messages whenever possible. ICMP supports IP traffic by relaying
information about paths, routes, and network conditions. ICMP host unreachable
messages are sent out if a router receives a nonbroadcast packet that uses an
unknown protocol, or if the router receives a packet that it is unable to deliver to
the ultimate destination because it knows of no route to the destination address.
Because the null interface is a packet sink, packets forwarded there will always be
discarded and, unless disabled, will generate host unreachable messages. In that
case, if the null interface is being used to block a Denial-of-Service attack, these
messages flood the local network with these messages. Disabling these messages
prevents this situation. In addition, because all blocked packets are forwarded to
the null interface, an attacker receiving host unreachable messages could use
those messages to determine Access Control List (ACL) configuration.
If the "null 0" interface is configured on your router, Security Audit will deliver
the following configuration to the router to disable ICMP host unreachable
messages for discarded packets or packets routed to the null interface is as
follows:
int null 0
no ip unreachables
This fix can be undone. To learn how, click
Cisco Router and Security Device Manager Version 2.2 User's Guide
Undoing Security Audit
Undoing Security Audit
Fix It Page
Fixes.
Fixes.
16-21
Advertisement
Table of Contents
Troubleshooting
