Avoiding being a victim in a smurf attack, Protection against icmp attacks – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 1058
1024
Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Protecting against Smurf attacks
Avoiding being a victim in a Smurf attack
You can configure the device to drop ICMP packets when excessive numbers are encountered, as is
the case when the device is the victim of a Smurf attack. You can set threshold values for ICMP
packets that are targeted at the router itself or passing through an interface, and drop them when
the thresholds are exceeded.
Protection against ICMP attacks
The ICMP flood attack protection is implemented in hardware on devices. This feature can coexist
with port-based rate-limiting, MAC filters, Layer 4 ACLs, and other features.
You can set threshold values for ICMP packets that are targeted at the router itself or passing
through an interface, and drop them when the thresholds are exceeded.
The syntax to set threshold values for ICMP packets targeted on a device is as follows.
Syntax: ip icmp attack-rate burst-normal <value> burst-max <value> lockup <seconds>
The attack-rate keyword indicates that the normal burst value and maximum burst values to be
specified in kilobits per second (kbps).
The burst-normal value ranges from 20 through 10000000.
The burst-max value ranges from 20 through 10000000.
The lockup value ranges from 1 through 10000.
The number of incoming ICMP packets per second are measured and compared to the threshold
values as follows:
•
If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are
dropped.
•
If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for
the number of seconds specified by the lockup value. When the lockup period expires, the
packet counter is reset and measurement is restarted.
Configuration notes
Consider the following statements when DoS attack protection is implemented at port level or VLAN
level.
•
The ACL based ingress rate-limiting for ICMP flow on a port is not accurate if ICMP Dos attack
protection is enabled on the same port. Non-ICMP flows are not affected.
•
ICMP DoS attack protection considers packet marked as drop by port-based ingress rate
limiting. In this case, even if the port-based ingress rate-limiting reduces the packet per byte
rate, DoS attack is still detected by using actual ingress packet per byte rate on a port.
NOTE
If you configure both DoS attack protection and ACL or MAC filter, the DoS attack statistics for
dropped ICMP or TCP SYN packet increments even if the ACL or MAC filter denies the traffic.