Hello, everyone!
Today, I will shortly explain IP and ICMP attacks and how we can protect our system.
ICMP (Internet Control Message Protocol) is a very popular and useful protocol. The most famous are ping and traceroute. Hackers use the weakness of the ICMP protocol. This protocol is one-way communication. It is used by hackers and they trigger attacks. Mainly, these are ping flood, ICMP_ECHO flood, and smurf attacks. Systems exposed to this type of attack work slowly and have problems connecting to the Internet.
Fig. 1 – ICMP attack
(https://www.allot.com/blog/the-ddos-education-series-part-34-an-eye-opening-look-at-blind-and-targeted-ping-flood-attacks/)
Hackers send a large number of packets to the main system device in a short period of time. Their destination address is the IP address of the system. The main system device is overloaded and cannot serve valid users. Anti-IP/ICMP protection allows the discard of packets sent to the main system device – e.g. OLT.
Next command can show us all security configuration on OLT:
TEST#display security config
{ <cr>||<K> }:
Command:
display security config
Anti-ipspoofing function : disable
Anti-dos function : enable
Anti-macspoofing function : enable
Anti-ipattack function : disable
Anti-icmpattack function : disable
Source-route filter function : disable
Anti-macduplicate function : enable
PPPoE overall aging time(sec) : 360
PPPoE aging period(sec) : 90
ARP detect mode : dummy
Anti-dos control-packet policy : deny
Packet unaffected by anti-ipspoofing : IGMP
Packet unaffected by anti-ipv6spoofing : --
NS-reply function : disable
NS-reply unknown-policy : forward
ARP-reply function : disable
ARP-reply unknown-policy : forward
Anti-ipv6spoofing function : disable
IPv6 DAD proxy function : disable
IPv6 bind route and ND : disable
Packet unaffected by anti-macspoofing : IGMP
DHCP client identifier : chaddr
Packet ignored by anti-macspoofing : --
Anti-illegal-arp function : enable
Anti-illegal-nd function : enable
User delete delay(sec) : 0
Anti-macduplicate alarm function : disable
Anti-ipv6attack function : disable
Anti-icmpv6attack function : disable
Anti-ipconflict refresh function : disable
Anti-illegal-hoplimit-nd function : disable
IP option packet-policy : to-cpu
DHCP packet anti-dos control-packet period(sec) : 1
Commands for activate anti-ICMP/IP attacks are:
TEST(config)#security anti-ipattack
{ control-packet<K>|disable<K>|enable<K> }:enable
Command:
security anti-ipattack enable
TEST(config)#security anti-icmpattack
{ control-packet<K>|disable<K>|enable<K> }:enable
Command:
security anti-icmpattack enable
After these commands, we can see:
TEST#display security config
{ <cr>||<K> }:
Command:
display security config
Anti-ipspoofing function : disable
Anti-dos function : enable
Anti-macspoofing function : enable
Anti-ipattack function : enable
Anti-icmpattack function : enable
Source-route filter function : disable
Anti-macduplicate function : enable
….
Thank you!
Reference:
https://www.allot.com/blog/the-ddos-education-series-part-34-an-eye-opening-look-at-blind-and-targeted-ping-flood-attacks/
https://help.eset.com/glossary/sr-Latn-RS/icmp_attacks.html
