Limiting Traceroute

This scenario shows how to set or remove ICMP DDoS protection features for the ICMP Flood attack.

../../../../../_images/threeifcs.svg

ICMP Disable Limit On Time Exceeded

Description

Effect of disabling an active ICMP DDoS protection for the ICMP Flood attack.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.2/24
set interfaces ethernet eth1 address 20.0.0.2/24
set system ip icmp rate limit 0
set system ip icmp rate messages-burst 0
set system ip icmp rate messages-per-second 0
set system ip icmp rate type time_exceeded
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.1/24
set protocols static route 20.0.0.0/24 next-hop 10.0.0.2
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 20.0.0.3/24
set protocols static route 10.0.0.0/24 next-hop 20.0.0.2
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Run command traceroute 20.0.0.3 at DUT1 and check if output matches the following regular expressions:

(1\s+\*\s+\*\s+\*)
(20.0.0.3)
Show output
traceroute to 20.0.0.3 (20.0.0.3), 30 hops max, 60 byte packets
 1  * * *
 2  20.0.0.3  0.505 ms  0.497 ms  0.489 ms

Attention

Depending on the architecture of the device after setting messages-burst the previous burst allowance must be spent before changes take effect, by default is set to 50.

Show output
ping 20.0.0.3 count 50 size 1 timeout 1 interval 0.002 ttl 1

Step 5: Modify the following configuration lines in DUT0 :

set system ip icmp rate type none

Attention

Depending on the architecture of the device after setting messages-burst the previous burst allowance must be spent before changes take effect, by default is set to 50.

Show output
ping 20.0.0.3 count 50 size 1 timeout 1 interval 0.002 ttl 1

Step 6: Run command traceroute 20.0.0.3 at DUT1 and check if output matches the following regular expressions:

(10.0.0.2)
(20.0.0.3)
Show output
traceroute to 20.0.0.3 (20.0.0.3), 30 hops max, 60 byte packets
 1  10.0.0.2  0.239 ms  0.208 ms  0.200 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * 20.0.0.3  0.621 ms  0.587 ms

ICMP Enable Limit On Time Exceeded

Description

Effect of enabling an active ICMP DDoS protection for the ICMP Flood attack.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.0.0.2/24
set interfaces ethernet eth1 address 20.0.0.2/24
set system ip icmp rate type none
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.0.0.1/24
set protocols static route 20.0.0.0/24 next-hop 10.0.0.2
set system ip icmp rate type none
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth0 address 20.0.0.3/24
set protocols static route 10.0.0.0/24 next-hop 20.0.0.2
set system ip icmp rate type none
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 4: Ping IP address 20.0.0.3 from DUT1:

admin@DUT1$ ping 20.0.0.3 count 1 size 56 timeout 1
Show output
PING 20.0.0.3 (20.0.0.3) 56(84) bytes of data.
64 bytes from 20.0.0.3: icmp_seq=1 ttl=63 time=0.528 ms

--- 20.0.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.528/0.528/0.528/0.000 ms

Attention

Depending on the architecture of the device after setting messages-burst the previous burst allowance must be spent before changes take effect, by default is set to 50.

Show output
ping 20.0.0.3 count 50 size 1 timeout 1 interval 0.002 ttl 1

Step 5: Run command traceroute 20.0.0.3 at DUT1 and check if output matches the following regular expressions:

(10.0.0.2)
(20.0.0.3)
Show output
traceroute to 20.0.0.3 (20.0.0.3), 30 hops max, 60 byte packets
 1  10.0.0.2  0.276 ms  0.246 ms  0.237 ms
 2  20.0.0.3  0.617 ms  0.609 ms  0.601 ms

Step 6: Modify the following configuration lines in DUT0 :

set system ip icmp rate limit 0
set system ip icmp rate messages-burst 0
set system ip icmp rate messages-per-second 0
set system ip icmp rate type time_exceeded

Step 7: Run command traceroute 20.0.0.3 at DUT1 and check if output matches the following regular expressions:

(1\s+\*\s+\*\s+\*)
(20.0.0.3)
Show output
traceroute to 20.0.0.3 (20.0.0.3), 30 hops max, 60 byte packets
 1  * * *
 2  20.0.0.3  0.382 ms  0.374 ms  0.365 ms

Attention

Depending on the architecture of the device after setting messages-burst the previous burst allowance must be spent before changes take effect, by default is set to 50.

Show output
ping 20.0.0.3 count 50 size 1 timeout 1 interval 0.002 ttl 1