978 BigIron RX Series Configuration Guide53-1001986-01Protecting against Smurf attacks34Avoiding being an intermediary in a Smurf attackA Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on atarget subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to aLayer 2 broadcast and sent to the connected hosts. This conversion takes place only whendirected broadcast forwarding is enabled on the device.To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts isdisabled on the device. Directed broadcast forwarding is disabled by default. To disable directedbroadcast forwarding, do the following.BigIron RX(config)# no ip directed-broadcastSyntax: [no] ip directed-broadcastACL-based DOS-attack preventionACL-based DOS-attack prevention provides great flexibility on what packets can be rate-limited ordropped up. In fact, users can create any matching conditions they want to regulate any particulartraffic flow they have in mind. This section provides examples that can be used to prevent twocommon types of DOS attacks.Avoiding being a victim in a Smurf attackYou can configure the device to drop ICMP packets when excessive numbers are encountered, as isthe case when the device is the victim of a Smurf attack. You can set threshold values for ICMPpackets that are targeted at the router itself or passing through an interface, and drop them whenthe thresholds are exceeded.For example, to set threshold values for ICMP packets received on interface 3/11, enter thefollowing command.BigIron RX(config)# access-list 101 permit icmp any any echo-replyBigIron RX(config)# int e 3/11BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000burst-max 1000 lockup 300In the example, if the total traffic volume of ICMP echo-reply packets received per second exceeds5,000,000 bits per second, the excess packets are dropped. If the number of ICMP echo-replypackets received per second exceeds 1,000, the device drops all ICMP packets for the next 300seconds (five minutes).Syntax: dos-attack-prevent <num> burst-normal <bps> burst-max <num-of-packets> lockup<seconds> [log]<num> is the ACL ID that will be used to check for traffic conformance.The parameters burst-normal, burst-max, and lockup are applied individually on each ACL filter.The burst-normal value, 1 – 100000000, is specified as bits per second.The burst-max value, 1 – 100000, is specified as number of packets.The lockup value can be from 1 – 10000 seconds.The number of incoming ICMP packets that match the condition specified in the ACL per secondare measured and compared to the threshold values as follows: