[4181] in linux-net channel archive
icmp flooding & spoofing
daemon@ATHENA.MIT.EDU (Jon Lewis)
Sat Aug 24 13:42:44 1996
Date: Sat, 24 Aug 1996 13:15:06 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Linux Net Mailing List <linux-net@vger.rutgers.edu>
Yesterday, we apparently got ping flooded by about 5 host addresses at
once. We noticed the net load, and fired up trafshow (something wiht
trafshow's features on linux would be nice) on a FreeBSD box, and noticed
that not only were we being icmp flooded...but at least some appeared to
be coming from spoofed addresses. One of them was 1.2.3.4. Our only
solution was to totally block icmp for a few hours at our Cisco which
handles our T1 to the net.
Are there any other solutions to this sort of problem? Just stopping
them at the Cisco didn't really help much. It kept our ethernet
quiet...but the T1 was still full until they quit pinging us.
Is there no way to stop this sort of thing from happening again, or to
track down where spoofed packets really did come from?
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will
Network Administrator | be proof-read for $199/hr.
________Finger jlewis@inorganic5.fdt.net for PGP public key_______
