ICMP Unreachable
When an IOS accessory receives a nonbroadcast packet destined for itself that uses a agreement it does not recognize, it sends an
ICMP aloof bulletin to the source. In addition, an ICMP aloof bulletin is acclimated to accelerate a acknowledgment to a host to
inform it that the accessory cannot bear the packet to the requested destination because it does not accept a avenue to the
destination address.
One of several accepted attacks an burglar can barrage involves sending crafted packets to the accessory bluffing accidental antecedent addresses for which the accessory has no route. This after-effects in the accessory acknowledging with an ICMP aloof packet to all those
spoofed hosts. In some cases, a acknowledgment to a ample cardinal of these requests absolute alien or invalid IP addresses can result
in abasement in performance. To anticipate such an accident and abounding added types of attacks, the ICMP aloof message
can be disabled beneath the interface approach apparent in Example 3-8 .
Example 3-8. Configuring ICMP Unreachable
Router(config)# interface
Router(if-config)# no ip unreachables
Caution
In some configurations, such as assertive types of adit structures, the use of ip unreachables is required. If the device
must use the ICMP Aloof feature, an another that alleviates achievement abasement is to amount absolute the number
of replies application the ip icmp rate-limit {milliseconds} command in all-around agreement mode. In Cisco IOS 12.0 and
later, the absence amount absolute is set to two packets per second.