Controlling ICMP Packets

By controlling the sending and receiving of ICMP packets, you can effectively defend against attacks by sending these packets.

Context

In the case of heavy traffic on a network, if hosts or ports frequently become unreachable, routers receive a large number of ICMP packets. As a result, the network is more heavily burdened, and router performance deteriorates. In addition, most attackers use ICMP packets to launch attacks, such as sending a large number of packets with the TTL value 1, packets carrying options, and ICMP packets whose destination addresses are broadcast addresses.

Perform the following configurations to reduce traffic burdens over the network and defend against ICMP packet attacks:

Procedure

  • Control the sending and receiving of ICMP packets.

    1. Run system-view

      The system view is displayed.

    2. Run undo icmp receive or undo icmp send

      The sending or receiving of ICMP packets is disabled.

      If you want to restore the default configuration and the display this command output does not contain the undo icmp receive or undo icmp send command configuration, run the clear icmp receive or clear icmp send command.

    3. Run commit

      The configuration is committed.

  • Control the source IP address of ICMP Port Unreachable or Time Exceeded messages in the loopback interface view.

    1. Run system-view

      The system view is displayed.

    2. Run interface loopback loopback-number

      The loopback interface view is displayed.

    3. Run ip icmp { ttl-exceeded | port-unreachable } source-address

      The source IP address of ICMP Port Unreachable or Time Exceeded messages is configured.

    4. Run commit

      The configuration is committed.

Parent Topic: Configuring IPv4 Protocol Stack Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >