NE40 is attacked by ICMP packets.
CPU utilization reaches 90%.
Filtration on fragmented ICMP packets could help keep away attacks, with configuration as follows: rule-map 1 intervlan icmp any any flag.
It comes to the following conclusions after analysis:
(1) Change the configurations of leaky bucket.
(2) Filter the ICMP packets.
Although the first solution helps control the attack from ICMP packets effectively, a great deal of packets will impact on the forwarding of normal ICMP packets. If the second solution is used, although it could control the attack by ICMP packets, the normal ICMP packet are disabled. In analysis, it is found that ICMP packets are often very big and are fragmented in transmission, so filtration on ICMP fragmented packets could protect against attacks. After filtration on ICMP packets, CPU utilization is reduced greatly.