Disable ICMP Unreachable replies

kernel networking

To prevent ICMP unreachable packets being sent, you can drop them using netfilter (iptables):

iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

Better is to prevent them being generated in the first place by using the DROP target on the INPUT traffic, rather than REJECT (or nothing where the kernel networking stack will create the unreachable reply rather than netfilter)

I don't think this will resolve your issues though; you need to identify what impact the DDoS is having; is it saturating the network or consuming system resources (CPU/memory etc). If it's network, then muting the replies may assist slightly, but you're still going to have the incoming packets on the wire.


The iptables target REJECT causes ICMP unreachable responses to be sent. Changing your target over to DROP will cause the incoming packets to be silently black-holed.

Related

SSD's in servers, best practice redundancy?
WSUS client detecting 0 updates
Alternative to ScaleMP?
Clean URLs and php extension on nginx
Millions of files in php's tmp error - how to delete? [closed]
windows server 2003 monitoring software combining SQL Server monitoring with CPU-IO stats
How to detect, in the guest operating system, if the vmware tools are out of date?
Wireless doesn't connect after suspend on an Asus K52F
How can I install 'restricted-extras' offline?
Prevent monitor from losing signal after screen saver / lock activates
Ubuntu 17.10 to 18.04 encrypted /home
How can I solve "fixed channel -1" (mon0 is on channel -1) issue when using airodump-ng?