< Home

Configuring ICMP Flood Attack Defense

This section describes how to configure ICMP flood attack defense.

Prerequisites

The interface-based traffic statistics collection function is enabled.

Procedure

  • Configure interface-based ICMP flood attack defense.
    1. In the user view, access the system view.

      system-view

    2. Access the interface view.

      interface interface-type interface-number

    3. Configure interface-based ICMP flood attack defense.

      anti-ddos icmp-flood [ alert-rate alert-rate ]

      If the rate of ICMP packets reaches alert-rate, ICMP flood attack defense is triggered. alert-rate is an integer ranging from 1 to 80000000, in pps. The default value is 500000.

  • Configure destination IP address-based rate limiting.
    1. In the user view, access the system view.

      system-view

    2. Configure destination IP address-based rate limiting.

      bandwidth-limit destination-ip type icmp max-speed max-speed

      max-speed is an integer ranging from 1 to 2000000, in pps.

      After this function is configured, the FW collects the statistics on the ICMP packets that arrive at each destination IP address. If the number of ICMP packets that arrive at a destination IP address exceeds the maximum value, the FW discards excess packets.

Parent Topic: Configuring DDoS Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >