Disable ICMP Unreachable replies

To prevent ICMP unreachable packets being sent, you can drop them using netfilter (iptables):

iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

Better is to prevent them being generated in the first place by using the DROP target on the INPUT traffic, rather than REJECT (or nothing where the kernel networking stack will create the unreachable reply rather than netfilter)

I don't think this will resolve your issues though; you need to identify what impact the DDoS is having; is it saturating the network or consuming system resources (CPU/memory etc). If it's network, then muting the replies may assist slightly, but you're still going to have the incoming packets on the wire.


The iptables target REJECT causes ICMP unreachable responses to be sent. Changing your target over to DROP will cause the incoming packets to be silently black-holed.