Information
ICMPv4 traffic should be rate limited to protect the devices resources.
Rationale:
Many Denial of Service attacks against network devices will attempt to overwhelm the target's processing, memory or bandwidth by barraging the router with malicious ICMP traffic which may be easily spoofed or generated in significant volumes.
Some administrators simply block all ICMP traffic; however this can cause many problems such as the inability of hosts to perform Path MTU Discovery and preventing debugging through common tools such as Ping (ICMP Echo). Loss of these important ICMP functions can adversely affect the reliability or functionality of the network. By limiting the rate at which ICMP traffic can be sent or received by the Routing Engine, it is possible to limit the impact of many DoS attacks without losing the important functionality that ICMP provides to the network.
The limits are set using two parameters. The first, packet-rate, defines the number of ICMPv4 (of any type) packets allowed per second. Traffic below this rate will be allowed. Traffic above this rate will also be permitted so long as tokens remain in the 'token bucket' associated with the policer. Each packet above the configured packet-rate uses one token until the bucket is empty, at which point all ICMPv4 traffic will be denied. The second parameter, bucket-size, defines the rate at which the token bucket is refilled, controlling the amount by which burst traffic will be permitted..
By default, once configured, the packet-rate will be 1000 packets per second with a bucket-size of 5 seconds. This should be sufficient on most platforms to prevent serious DoS attacks, whilst being high enough not to interfere with normal operation.
The administrator should set the limits based on the normal level of ICMPv4 traffic that is handled by the router. Failure to do this could cause the router to become unreliable in some cases.
This requirement deals only with ICMPv4 Exception Traffic to or from the Routing Engine (the Control Plane of a JUNOS device) and has no effect on ICMPv4 Transit Traffic traversing the device.
Impact:
If all accumulated packets in the bucket are used, rate limiting will drop all further ICMPv4 traffic to/from the RE until new packets have been added to the bucket at the rate defined by <limit>
Solution
ICMPv4 Rate Limiting can be configured by issuing the following commands from the [edit system internet-options] hierarchy.
[edit system internet-options]
user@host#set icmpv4-rate-limit bucket-size <bucket> packet-limit <limit>
Where:
<bucket> is the size of the Rate Limit Bucket, in seconds (if not specified, defaults to 5 seconds)
<limit> is the rate at which packets are added to the bucket, in packets per second (if not specified, defaults to 1000pps)
Default Value:
By default icmpv4-rate-limit is not configured.
Once configured the bucket-size defaults to 5 seconds and the packet-limit defaults to 1000 packets per second.