A variety of attacks use ICMP traffic. These attacks are designed to either overwhelm the resources of the target device, or fill the bandwidth of the link leading to the target device. In either case, the goal is to make the target device unreachable.

To detect these attacks, you can create firewall filters—not to block traffic, but to count and log it. The filter can be quite simple to create:

[edit]
lab@r1# show firewall family inet filter check-for-icmp
term A {
    from {
        destination-address {
            192.168.28.1/32;
        }
        protocol icmp;
    }
    then {
        count icmp-counter;
        log;
        accept;
    }
}
term B {
    then accept;
}

In this example, there is a server, 192.168.28.1, which could be a target for attack. Notice that at this point there is no protection in place; traffic is accepted. However, ICMP traffic destined for the server is counted and logged. This filter, once applied outbound to the JUNOS device’s server-facing interface, allows you to view statistics on how much ICMP traffic is being sent toward the server.

Once you have committed the configuration, use the show firewall command to monitor ICMP traffic toward the server:

[edit]
lab@r1> show firewall
Filter: __default_bpdu_filter__
Filter: check-for-icmp
Counters:
Name                                      Bytes           Packets
icmp-counter                                  0                 0

In the preceding example, you can see the filter, check-for-icmp ...