smurf attack prevention

I am looking for configuration to prevent SMURF sttack using rate-limit and without using rate-limit? Please provide the same..



  • The 3 options I can think of:


    1) use command rate-limit

    Apply to the (SMURF) incoming if

    interface Serial2/0
         rate-limit input access-group 100 8000 1500 2000 conform-action drop exceed-action drop

         access-list 100 permit icmp any any echo 


    2) block all icmp unreachables

    interface Serial2/0

       no ip unreachables                                     --> does not sent any icmp unreachable back
       ip verify unicast source reachable-via any      --> verifies that their is a route to the source in the RIB


    Not sure if both commands in 2) are needed. 


    3) LLQ (discard all icmp unreachables)

    int fa 1/0
    service-policy input SMURF

    access-list 100 permit icmp any any echo 

    class-map match-all SMURF
      match access-group 100
    policy-map SMURF
      class SMURF
       police cir 80000
         conform-action drop
         exceed-action drop
         violate-action drop


    Any other options  or anything not correct  here ?




Sign In or Register to comment.