We are having about a 3-4Gbps ICMP flood on one of our servers and I wonder.. I have a 20gbps of DDoS protection but the proetction seems ineffective against ICMP funnily (it worked well to block a ton of TCP and UDP attacks in the past yet it fails for ICMP as we get downtime).
Here is a sample from the traffic posted by the DDoS detection: http://pastebin.com/raw.php?i=MW4gTN1C
The thing is that I cannot know what kind of ICMP packets those are.
1- Is it only possible to do such an attack with type ICMP ECHOs (ping packets), or are there other ICMP packet types that can be used for this kind of attack? Because I don't see myself being able to reflect ICMP packets except with echo requests.
2- I know ICMP is recommended to be left unblocked for a few things like MTU, so what kind of ICMP packets should I avoid or rate limit (in the case some are essential to fast network operations)?
3- Right now I asked for ICMP to be completely rejected altogether (bad idea I know but I needed a fast solution, and it worked) at the core router of the datacenter. The ACL is
0: deny icmp any 104.x.x.x/29
1: permit ip any any
Would there be a better way to block this kind of attack? Would you think only blocking ICMP echo requests would permit to get rid of the effects of the attack?
All in all I'm trying to come up with an ACL that filters potentially dangerous ICMP packets altogether without having to get rid of it completely.
Thanks
