984 BigIron RX Series Configuration Guide53-1001810-01Protecting against Smurf attacks34For each ICMP echo request packet sent by the attacker, a number of ICMP replies equal to thenumber of hosts on the intermediary network are sent to the victim. If the attacker generates alarge volume of ICMP echo request packets, and the intermediary network contains a large numberof hosts, the victim can be overwhelmed with ICMP replies.Avoiding being an intermediary in a Smurf attackA Smurf attack relies on the intermediary to broadcast ICMP echo request packets to hosts on atarget subnet. When the ICMP echo request packet arrives at the target subnet, it is converted to aLayer 2 broadcast and sent to the connected hosts. This conversion takes place only whendirected broadcast forwarding is enabled on the device.To avoid being an intermediary in a Smurf attack, make sure forwarding of directed broadcasts isdisabled on the BigIron RX. Directed broadcast forwarding is disabled by default. To disabledirected broadcast forwarding, do the following.BigIron RX(config)# no ip directed-broadcastSyntax: [no] ip directed-broadcastACL-based DOS-attack preventionACL-based DOS-attack prevention provides great flexibility on what packets can be rate-limited ordropped up. In fact, users can create any matching conditions they want to regulate any particulartraffic flow they have in mind. This section provides examples that can be used to prevent twocommon types of DOS attacks.Avoiding being a victim in a Smurf attackYou can configure the BigIron RX to drop ICMP packets when excessive numbers are encountered,as is the case when the device is the victim of a Smurf attack. You can set threshold values forICMP packets that are targeted at the router itself or passing through an interface, and drop themwhen the thresholds are exceeded.For example, to set threshold values for ICMP packets received on interface 3/11, enter thefollowing command.BigIron RX(config)# access-list 101 permit icmp any any echo-replyBigIron RX(config)# int e 3/11BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000burst-max 1000 lockup 300In the example, if the total traffic volume of ICMP echo-reply packets received per second exceeds5,000,000 bits per second, the excess packets are dropped. If the number of ICMP echo-replypackets received per second exceeds 1,000, the device drops all ICMP packets for the next 300seconds (five minutes).Syntax: dos-attack-prevent <num> burst-normal <bps> burst-max <num-of-packets> lockup<seconds> [log]<num> is the ACL ID that will be used to check for traffic conformance.The parameters burst-normal, burst-max, and lockup are applied individually on each ACL filter.The burst-normal value, 1 – 100000000, is specified as bits per second.The burst-max value, 1 – 100000, is specified as number of packets.