This section describes the mechanisms of ICMP flood attack and defense.
An attacker sends massive ICMP packets to the target in a short period of time, exhausting session resources on network devices. If the attacker sends oversized packets over a network link, the network link may be congested.
Basically, no service traffic is carried by ICMP. However, ICMP flood is a major category in DDoS attacks. The FW supports global ICMP packet limiting to restrict the ICMP traffic within a proper scope and discard excess ICMP traffic.
The FW collects statistics by destination IP address. If the transmission rate of the ICMP traffic destined for the same destination IP address reaches the alarm threshold, the FW enables traffic limiting and discards excess ICMP packets.
Besides, the FW supports the blocking of ICMP packets on incoming interfaces.
When the ICMP packet rate destined for the same destination address exceeds the threshold, the FW considers that an attack occurs and discards ICMP packets that do not match the whitelist.