The no ip redirects command under the interface configuration mode can be used to disable IP redirect. This service should disabled especially on untrusted network interfaces because it can be used to map the network.
ICMP Unreachable
When an IOS device receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an
ICMP unreachable message to the source. In addition, an ICMP unreachable message is used to send a response to a host to
inform it that the device cannot deliver the packet to the requested destination because it does not have a route to the
destination address.
One of several common attacks an intruder can launch involves sending crafted packets to the device spoofing random source addresses for which the device has no route. This results in the device replying with an ICMP unreachable packet to all those
spoofed hosts. In some cases, a reply to a large number of these requests containing unknown or invalid IP addresses can result
in degradation in performance. To prevent such an occurrence and many other types of attacks, the ICMP unreachable message
can be disabled under the interface mode shown in Example 3-8 .
Example 3-8.
Pages:
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148