A very simple way of protecting a router from ICMP DDOS attack.

ip access-list extended ICMP
permit icmp any any
class-map match-any ICMP
match access-group name ICMP
policy-map ICMP-limit
class ICMP
police rate 20000 bps conform-action transmit  exceed-action drop  violate-action drop
service-policy input ICMP-limit

This configuration will limit the icmp traffic into 20Kbps


#show policy-map control-plane
Control Plane
  Service-policy output: ICMP-limit
    Class-map: ICMP (match-any) 
      4732 packets, 520478 bytes
      5 minute offered rate 8000 bps, drop rate 2000 bps
      Match: access-group name ICMP
        4732 packets, 520478 bytes
        5 minute rate 8000 bps
         rate 20000 bps, burst 1500 bytes, peak-burst 1500 bytes
        conformed 3536 packets, 388954 bytes; actions:
        exceeded 1106 packets, 121684 bytes; actions:
        violated 90 packets, 9840 bytes; actions:
          drop         conformed 6000 bps, exceeded 2000 bps, violated 0000 bps
    Class-map: class-default (match-any) 
      576 packets, 39867 bytes
      5 minute offered rate 0000 bps, drop rate 0000 bps
      Match: any

As you can see it limit the icmp traffic into 20Kbps and started dropping icmp packet.

for more information check Cisco Control-Plane page

Controlling ICMP (DDOS) via Cisco Control-Plane
Tagged on:     

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: