How to remove the fault caused by the ICMP attack on the NE40 and NE80?
Users----switch--....---(gateway) S8016/NE40..---interface to Internet---Internet
Generally, S8016 and NE40 are used as the MAN gateway equipment. ICMP attacks from the extranet or the MAN itself often causes too much space of CPU of the gateway equipment to be occupied and loss of Ping packets.
Run the disp cpu command. There is a SOCK process. If this process occupies quite a large capacity, the equipment is probably attacked. Network equipment is generally subject to the ARP attack and ICMP attack.
On each LPU of S8016/NE40/NE80, there is a leaky bucket threshold. If too many exceptional packets exist, the leaky bucket will discard the excessive packets such as ICMP packets according to the threshold value.
Run the following commands:
[NX-YC-TXL8016-A-3.MAN]disp system-bucket 2 (slot number) 31(ICMP protocol number)
#The slot number: 2
#The token ID: 31
The time of the last packets arrive:4291702616
The number of present tokens: 196526
The traffic rate of the token: 16K By default, the threshold is 16 KB. You can also modify it to 8 KB or 4 KB. Note: It is not recommended to set it to 2 KB because the too small value may cause the bucket to discard normal Ping packets.
The height of the token bucket:196608
The number of the discarded packets:38872 Pay attention to this item. If the number of discarded packets keeps increasing, it indicates that the number of ICMP packets is larger than the threshold value and thus these packets are discarded to protect the CPU of the MPU.
1. Alleviate the impact of the ICMP attack upon the equipment by modifying the threshold value of the leaky bucket:
apply systembuket 2 31 (threshold)
After the threshold is modified to a smaller value, more exceptional ICMP attack packets are directly discarded by the leaky bucket of the LPU instead of being sent to the MPU. Thus, the forwarding performance of the equipment is protected. In addition, the occupancy of CPU is minimized to ensure enough space for handling other processes.
2. Solve the problem by disabling the ping operation:
Enable EACL on the interface to disable the ping operation. If ICMP packets are from the extranet, disable the ping operation on the inbound interface.