Limiting ICMP on input chain

scottvd · January 3, 2015, 8:29pm

RouterOS 6.24 on CCR1036

Trying to limit all ICMP destined for router to 10pp/s. When I have these rules in place the limiting doesn’t seem to be functioning properly: as I ping the router from a remote host at a consistent moderate rate of 1-2pps, within a few seconds it’s added into the ICMP attack list. Did I get something wrong?

add chain=input comment="ICMP 10pps" limit=10,0 protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input comment="Excess into ICMP attack list" protocol=icmp
add action=drop chain=input comment="Drop ICMP attack list" protocol=icmp src-address-list=icmp-attack

dadaniel · October 10, 2018, 12:53pm

I have the same problem, any ideas anyone?

nescafe2002 · October 10, 2018, 1:18pm

Set burst to one (1), move last rule (drop) to top and it will work fine.

R1CH · October 10, 2018, 3:19pm

Reminder that ICMP source addresses can be spoofed, adding addresses to a blacklist without being able to verify the source address is a bad practice. It’s better to just rate limit (which is built into the kernel - check IP / Settings).