Detections
Analytics

6.5.2 Ensure ICMPv6 rate-limit is Set

Information

ICMPv6 traffic should be rate limited to protect the devices resources.

Rationale:

Many Denial of Service attacks against network devices will attempt to overwhelm the target's processing, memory or bandwidth by barraging the router with malicious ICMP traffic which may be easily spoofed or generated in significant volumes.

Some administrators simply block all ICMP traffic; however this can cause many problems such as the inability of hosts to perform Path MTU Discovery and preventing debugging through common tools such as Ping (ICMP Echo). Loss of these important ICMP functions can adversely affect the reliability or functionality of the network. By limiting the rate at which ICMP traffic can be sent or received by the Routing Engine, it is possible to limit the impact of many DoS attacks without losing the important functionality that ICMP provides to the network.

The limits are set using two parameters. The first, packet-rate, defines the number of ICMPv6 (of any type) packets allowed per second. Traffic below this rate will be allowed. Traffic above this rate will also be permitted so long as tokens remain in the 'token bucket' associated with the policer. Each packet above the configured packet-rate uses one token until the bucket is empty, at which point all ICMPv6 traffic will be denied. The second parameter, bucket-size, defines the rate at which the token bucket is refilled, controlling the amount by which burst traffic will be permitted..

By default, once configured, the packet-rate will be 1000 packets per second with a bucket-size of 5 seconds. This should be sufficient on most platforms to prevent serious DoS attacks, whilst being high enough not to interfere with normal operation.

The administrator should set the limits based on the normal level of ICMPv6 traffic that is handled by the router. Failure to do this could cause the router to become unreliable in some cases.

This requirement deals only with ICMPv6 Exception Traffic to or from the Routing Engine (the Control Plane of a JUNOS device) and has no effect on ICMPv6 Transit Traffic traversing the device.

Impact:

If all accumulated packets in the bucket are used, rate limiting will drop all further ICMPv6 traffic to/from the RE until new packets have been added to the bucket at the rate defined by

Solution

ICMPv6 Rate Limiting can be configured by issuing the following commands from the [edit system internet-options] hierarchy.

[edit system internet-options]
user@host#set icmpv6-rate-limit bucket <bucket> limit <limit>

Where:

is the size of the Rate Limit Bucket, in seconds (if not specified, defaults to 5 seconds)

is the rate at which packets are added to the bucket, in packets per second (if not specified, defaults to 1000pps)

Default Value:

By default icmpv6-rate-limit is not configured.

Once configured the bucket-size defaults to 5 seconds and the packet-limit defaults to 1000 packets per second

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 5f63a7dcab35477d647b88a83b4cabfa3e8250bc4045f2a150078167f7b6d35f