Community discussions

 
User avatar
scottvd
newbie
Topic Author
Posts: 31
Joined: Wed Oct 26, 2005 3:50 am
Location: Millstatt, Austria
Contact:

Limiting ICMP on input chain

Sat Jan 03, 2015 10:29 pm

RouterOS 6.24 on CCR1036

Trying to limit all ICMP destined for router to 10pp/s. When I have these rules in place the limiting doesn't seem to be functioning properly: as I ping the router from a remote host at a consistent moderate rate of 1-2pps, within a few seconds it's added into the ICMP attack list. Did I get something wrong?
add chain=input comment="ICMP 10pps" limit=10,0 protocol=icmp
add action=add-src-to-address-list address-list=icmp-attack address-list-timeout=12h chain=input comment="Excess into ICMP attack list" protocol=icmp
add action=drop chain=input comment="Drop ICMP attack list" protocol=icmp src-address-list=icmp-attack
 
dadaniel
Member Candidate
Member Candidate
Posts: 155
Joined: Fri May 14, 2010 11:51 pm

Re: Limiting ICMP on input chain

Wed Oct 10, 2018 3:53 pm

I have the same problem, any ideas anyone?
 
nescafe2002
Long time Member
Long time Member
Posts: 617
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Limiting ICMP on input chain

Wed Oct 10, 2018 4:18 pm

Set burst to one (1), move last rule (drop) to top and it will work fine.
 
R1CH
Forum Veteran
Forum Veteran
Posts: 883
Joined: Sun Oct 01, 2006 11:44 pm

Re: Limiting ICMP on input chain

Wed Oct 10, 2018 6:19 pm

Reminder that ICMP source addresses can be spoofed, adding addresses to a blacklist without being able to verify the source address is a bad practice. It's better to just rate limit (which is built into the kernel - check IP / Settings).

Who is online

Users browsing this forum: Bing [Bot] and 61 guests