Anh trích đọan này từ Cisco CCO -Support. Chắc có lẻ ai làm về Cisco router và mạng thì lúc này chắc cũng dã làm access-list để bảo vệ router mình rồi. Trường hợp Cisco dùng policy routing để gứi những cái Nachi worm icmp packet vô black hole (null interface) thì rất là ứng dụng thực tế. Good real life case study. Anh cũng thuờng dùng cách này đế mà gửi những unwanted traffic vô black hole. The idea is to dump the unwanted packets locally rather than let it travel through the WAN.
Policy Based Routing for IOS
The Nachi worm detects the availability of a node by sending ICMP type 8 (echo request) packets before trying to exploit the RPC vulnerability. The size of the ICMP packet is 92 bytes including the IP header.
The following Policy Based Routing (PBR) configuration can be used to match and drop the ICMP type 8 and type 0 packets that are 92 bytes long. The ICMP type 8 packets generated by the ping utility on other operating systems such as Cisco IOS, Windows 2000, Linux and Solaris, have different packet sizes than 92 bytes. This configuration should not filter the packets that are generated by the ping utility on those operating systems.
Caution: Once applied, this configuration may cause all packets to be process switched on hardware switching platforms such as the Catalyst 6500 series and Cisco 12000 GSR, or PBR may not be supported on these platforms. This may significantly impact the performance of those devices and it is therefore not recommended to use this method on hardware switching platforms.
Caution: Enabling Policy Based Routing may effect the performance of your throughput. It is recommended to enable Cisco Express Forwarding (CEF) for improved performance. If CEF is not enabled on the router, it is recommended to have the "IP route-cache policy" command on the interface. This will increase the performance of Policy Based Routing.
access-list 199 permit icmp any any echo
access-list 199 permit icmp any any echo-reply
route-map nachi-worm permit 10
! --- match ICMP echo requests and replies (type 0 & 8)
match ip address 199
! --- match 92 bytes sized packets
match length 92 92
! --- drop the packet
set interface Null0
! --- it is recommended to disable unreachables
no ip unreachables
! --- if not using CEF, enabling ip route-cache flow is recommended
ip route-cache policy
! --- apply Policy Based Routing to the interface
ip policy route-map nachi-worm
This configuration needs to be applied on all ingress interfaces on the device. If you have no infected hosts internally it may be acceptable to apply it only at your network edge.
Note: By enabling this configuration you may also be dropping some legitimate ICMP type 8 (echo request) packets that are 92 bytes long.
The worm will attempt to send packets to random IP addresses, some of which may not exist. When that occurs, the router will reply with an ICMP unreachable packet. In some cases, replying to a large number of requests with invalid IP addresses may result in degradation of the router's performance. To prevent that from occurring, use the following command:
Router(config)# interface <interface>
Router(if-config)# no ip unreachables
Caution: Common network configurations, such as certain types of tunnel structures, require the use of ip unreachables. If the router must be able to send ICMP unreachable packets, you can rate limit the number of replies using the following command:
Router(config)# ip icmp rate-limit unreachable <millisecond>
Beginning with Cisco IOS Software Release 12.0, the default rate limiting is set to two packets per second (500 ms), a value of 2000 ms is commonly used.