< Home

anti-ddos icmp-flood

Function

The anti-ddos icmp-flood command enables the interface-specific ICMP flood attack defense.

The undo anti-ddos icmp-flood command disables the interface-specific ICMP flood attack defense.

Format

anti-ddos icmp-flood [ alert-rate alert-rate ]

undo anti-ddos icmp-flood

Parameters

Parameter Description Value
alert-rate alert-rate Specifies the threshold of the ICMP packet rate that triggers ICMP flood attack defense. The value is an integer ranging from 1 to 80000000, in pps. The default value is 500000.

Views

Ethernet interface view, Ethernet sub-interface view, Layer-2 Ethernet interface view, Layer-2 Ethernet sub-interface view, Eth-Trunk interface view, Layer-2 Eth-Trunk interface view, Eth-Trunk sub-interface view, Layer-2 Eth-Trunk sub-interface view, Virtual interface view

Default Level

2: Configuration level

Usage Guidelines

By default, the function is disabled.

A FW uses block technologies to defend against ICMP flood attacks. If the rate at which ICMP packets destined for an IP address are sent exceeds the threshold, the FW discards all ICMP packets that do not match the whitelist, ensuring that services are not affected by ICMP flood attacks.

The attack defense threshold obtained by the threshold learning function takes effect only for the global anti-DDoS. Therefore, you must use the anti-ddos icmp-flood command to manually set the threshold for the interface-specific ICMP flood attack defense.

Example

# Enable ICMP flood attack defense on GigabitEthernet 0/0/1. Set the threshold of the ICMP packet rate that triggers ICMP flood attack defense to 1000 pps.

<sysname> system-view
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet0/0/1] anti-ddos icmp-flood alert-rate 1000
Parent Topic: DDoS Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >