===================================== ICMP ===================================== .. sidebar:: Contents .. contents:: :depth: 2 :local: DDoS (Distributed Denial of Service) attacks often exploit certain protocols like ICMP to overwhelm and flood networks or devices. ICMP is commonly used for diagnostic functions like ``ping`` and ``traceroute``, but it can be misused in large-scale attacks. This section outlines how to enable or disable the protection from this type of attack for built-in features and how they should behave. Configuration ============= Message Types ------------- There are different types of ICMP messages. Built-in limitation capabilities individually target each message type. - ``Echo Reply``: Sent in response to an ``Echo Request`` to indicate that the destination is reachable. - ``Destination Unreachable``: Informs the sender that the destination cannot be reached for various reasons (e.g., network unreachable). - ``Source Quench``: Indicates that the sender should slow down its packet transmission due to congestion. - ``Redirect``: Sent by routers to inform hosts of a better route for packet forwarding. - ``Echo Request``: Used to test the reachability of a host by sending a request for an ``Echo Reply``. - ``Time Exceeded``: Sent when a packet's Time-to-Live (TTL) value expires, indicating that it was discarded. - ``Parameter Problem``: Sent when there is an error in the header of the received packet, such as an invalid option. - ``Timestamp Request``: Requests the timestamp of a remote device for synchronization purposes. - ``Timestamp Reply``: Sent in response to a ``Timestamp Request`` containing the time when the request was received. - ``Info Request``: Used in older systems to query the state of an internet device. - ``Info Reply``: Sent in response to an ``Info Request`` containing device information. - ``Address Mask Request``: Obtains a subnet mask from a host or router. - ``Address Mask Reply``: Sent in response to an ``Address Mask Request`` to provide the subnet mask. ``Destination Unreachable``, ``Source Quench``, ``Time Exceeded`` and ``Parameter Problem`` are limited by default. You can change the list of limited types entering the following command :osdx:cfg:`system ip icmp rate type *` followed by a list of types to limit in snake_case. You can also enter ``none`` or ``all`` for ease of use. For example, you can apply limits only to ``Echo Reply`` using the following command: .. code-block:: none set system ip icmp rate type echo_reply .. note:: Per host and global limits only work on the selected types. Per Host Limit -------------- Limits can be imposed per host or globally. To limit the ICMP response traffic, use the following command :osdx:cfg:`system ip icmp rate limit *`, where the limit is the minimum amount of milliseconds that have gone by between responses (i.e. a value of ``1000`` means 1 response per second). This limit can be disabled by setting it to ``0``. Global Limit ------------ A global limit on traffic can be imposed by entering the following commands :osdx:cfg:`system ip icmp rate messages-per-second *` and :osdx:cfg:`system ip icmp rate messages-burst *`. - ``messages-per-second``: Controls the number of ICMP packets sent per second. - ``messages-burst``: Controls how many packets can be sent prior to the limits taking effect. It takes precedence over ``messages-per-second``. You could globally limit all ICMP responses to selected types using the following command: .. code-block:: none set system ip icmp rate messages-burst 0 set system ip icmp rate messages-per-second 0 .. attention:: For optimization reasons, some architectures keep an internal credit based on the ``messages-burst`` variable instead of checking every time an ICMP packet is sent. As a result, changes could take as many ICMP packets as the previous value of ``messages-burst`` to take effect. Examples ======== - :doc:`Pings ` - :doc:`Traceroute ` Command Summary =============== .. depth=2 to show traffic policy actions .. osdx:cmdtree:: cfg :maxdepth: 2 system ip icmp rate