A very simple way of protecting a router from ICMP DDOS attack.
ip access-list extended ICMP permit icmp any any ! class-map match-any ICMP match access-group name ICMP ! policy-map ICMP-limit class ICMP police rate 20000 bps conform-action transmit exceed-action drop violate-action drop ! control-plane service-policy input ICMP-limit
This configuration will limit the icmp traffic into 20Kbps
#show policy-map control-plane Control Plane Service-policy output: ICMP-limit Class-map: ICMP (match-any) 4732 packets, 520478 bytes 5 minute offered rate 8000 bps, drop rate 2000 bps Match: access-group name ICMP 4732 packets, 520478 bytes 5 minute rate 8000 bps police: rate 20000 bps, burst 1500 bytes, peak-burst 1500 bytes conformed 3536 packets, 388954 bytes; actions: transmit exceeded 1106 packets, 121684 bytes; actions: drop violated 90 packets, 9840 bytes; actions: drop conformed 6000 bps, exceeded 2000 bps, violated 0000 bps Class-map: class-default (match-any) 576 packets, 39867 bytes 5 minute offered rate 0000 bps, drop rate 0000 bps Match: any
As you can see it limit the icmp traffic into 20Kbps and started dropping icmp packet.
for more information check Cisco Control-Plane page