Limiting Pings

This scenario shows how to set or remove ICMP DDoS protection features for the Ping Flood attack.

../../../../../_images/twoifcs.svg

ICMP Disable Limit On Echo Reply

Description

Effect of disabling an active ICMP DDoS protection for Ping Flood.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.2/24
set system ip icmp rate limit 0
set system ip icmp rate messages-burst 0
set system ip icmp rate messages-per-second 0
set system ip icmp rate type echo_reply
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.1/24
set protocols static route 20.0.0.0/24 next-hop 10.0.0.2
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Ping the IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 5 size 56 timeout 1 interval 0.002
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.

--- 10.0.0.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 40ms

Attention

Depending on the architecture of the device after setting messages-burst the previous burst allowance must be spent before changes take effect, by default is set to 50.

Show output
ping 10.0.0.2 count 100 size 1 timeout 1 interval 0.002

Step 4: Modify the following configuration lines in DUT0 :

set system ip icmp rate type none

Step 5: Ping the IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 5 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.330 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.513 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.266 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.539 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.332 ms

--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4101ms
rtt min/avg/max/mdev = 0.266/0.396/0.539/0.109 ms

ICMP Enable Limit On All Echo Reply

Description

Effect of enabling ICMP DDoS protection for Ping Flood.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.2/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.1/24
set protocols static route 20.0.0.0/24 next-hop 10.0.0.2
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Ping the IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.366 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.366/0.366/0.366/0.000 ms

Step 4: Ping the IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 5 size 56 timeout 1
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.275 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.300 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.351 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.380 ms
64 bytes from 10.0.0.2: icmp_seq=5 ttl=64 time=0.344 ms

--- 10.0.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4086ms
rtt min/avg/max/mdev = 0.275/0.330/0.380/0.037 ms

Step 5: Modify the following configuration lines in DUT0 :

set system ip icmp rate limit 0
set system ip icmp rate messages-burst 0
set system ip icmp rate messages-per-second 0
set system ip icmp rate type echo_reply

Step 6: Ping the IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 5 size 56 timeout 1 interval 0.002
Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.

--- 10.0.0.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 41ms

Attention

Depending on the architecture of the device after setting messages-burst the previous burst allowance must be spent before changes take effect, by default is set to 50.

Show output
ping 10.0.0.2 count 100 size 1 timeout 1 interval 0.002