The Juniper SSG-140 has an "ICMP Flood Protection" option. We tried enabling that with a threshold as low as 10, and it still does not seem to protect us from ICMP Flood attacks. We currently have an IP that our upstream provider has had to blackhole because if they allow the traffic through on that IP it takes our entire network offline and we have a stream of log entries on the Juniper such as the following:
2013-11-04 11:54:48 alert ICMP flood! From 1.7.8.43 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 2955 times.
2013-11-04 11:54:46 alert ICMP flood! From 66.242.243.144 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 1021 times.
2013-11-04 11:54:44 alert ICMP flood! From 221.150.195.4 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 2815 times.
2013-11-04 11:54:43 alert ICMP flood! From 194.21.21.95 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 2047 times.
2013-11-04 11:54:42 alert ICMP flood! From 139.89.241.149 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 7164 times.
2013-11-04 11:54:41 alert ICMP flood! From 36.117.185.226 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 1020 times.
2013-11-04 11:54:38 alert ICMP flood! From 218.168.87.67 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 1516 times.
2013-11-04 11:54:35 alert ICMP flood! From 118.251.44.55 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 4244 times.
2013-11-04 11:54:33 alert ICMP flood! From 34.231.106.8 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 3053 times.
2013-11-04 11:54:32 alert ICMP flood! From 222.240.81.182 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 1022 times.
2013-11-04 11:54:29 alert ICMP flood! From 223.223.38.61 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 2180 times.
2013-11-04 11:54:26 alert ICMP flood! From 2.169.220.141 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 3459 times.
2013-11-04 11:54:24 alert ICMP flood! From 219.97.67.4 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 3731 times.
2013-11-04 11:54:21 alert ICMP flood! From 54.56.57.180 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 3277 times.
2013-11-04 11:54:18 alert ICMP flood! From 142.250.5.214 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 2750 times.
2013-11-04 11:54:17 alert ICMP flood! From 95.51.87.53 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 2812 times.
2013-11-04 11:54:16 alert ICMP flood! From 180.13.83.57 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 1024 times.
2013-11-04 11:54:13 alert ICMP flood! From 87.80.29.95 to xxx.xxx.xxx.xxx, proto 1 (zone Untrust, int ethernet0/2). Occurred 1496 times.
...and our uplink connection is instantly saturated until we have them re-blackhole the ip. Why is it showing "Occurred" counts in the thousands when ICMP was supposed to be ignored after 100 pps? Does the "ICMP Flood Protection" feature not work?