ICMP
DDoS (Distributed Denial of Service) attacks often exploit certain protocols like ICMP to overwhelm and flood networks or devices. ICMP is commonly used for diagnostic functions like ping and traceroute, but it can be misused in large-scale attacks. This section outlines how to enable or disable the protection from this type of attack for built-in features and how they should behave.
Configuration
Message Types
There are different types of ICMP messages. Built-in limitation capabilities individually target each message type.
Echo Reply: Sent in response to anEcho Requestto indicate that the destination is reachable.Destination Unreachable: Informs the sender that the destination cannot be reached for various reasons (e.g., network unreachable).Source Quench: Indicates that the sender should slow down its packet transmission due to congestion.Redirect: Sent by routers to inform hosts of a better route for packet forwarding.Echo Request: Used to test the reachability of a host by sending a request for anEcho Reply.Time Exceeded: Sent when a packet’s Time-to-Live (TTL) value expires, indicating that it was discarded.Parameter Problem: Sent when there is an error in the header of the received packet, such as an invalid option.Timestamp Request: Requests the timestamp of a remote device for synchronization purposes.Timestamp Reply: Sent in response to aTimestamp Requestcontaining the time when the request was received.Info Request: Used in older systems to query the state of an internet device.Info Reply: Sent in response to anInfo Requestcontaining device information.Address Mask Request: Obtains a subnet mask from a host or router.Address Mask Reply: Sent in response to anAddress Mask Requestto provide the subnet mask.
Destination Unreachable, Source Quench, Time Exceeded and Parameter Problem are limited by default.
You can change the list of limited types entering the following command system ip icmp rate type <txt> followed by a list of types to limit in snake_case. You can also enter none or all for ease of use.
For example, you can apply limits only to Echo Reply using the following command:
set system ip icmp rate type echo_reply
Note
Per host and global limits only work on the selected types.
Per Host Limit
Limits can be imposed per host or globally. To limit the ICMP response traffic, use the following command system ip icmp rate limit <u32>, where the limit is the minimum amount of milliseconds that have gone by between responses (i.e. a value of 1000 means 1 response per second).
This limit can be disabled by setting it to 0.
Global Limit
A global limit on traffic can be imposed by entering the following commands system ip icmp rate messages-per-second <u32> and system ip icmp rate messages-burst <u32>.
messages-per-second: Controls the number of ICMP packets sent per second.messages-burst: Controls how many packets can be sent prior to the limits taking effect. It takes precedence overmessages-per-second.
You could globally limit all ICMP responses to selected types using the following command:
set system ip icmp rate messages-burst 0
set system ip icmp rate messages-per-second 0
Attention
For optimization reasons, some architectures keep an internal credit based on the messages-burst variable instead of checking every time an ICMP packet is sent. As a result, changes could take as many ICMP packets as the previous value of messages-burst to take effect.