[11512] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Alex.Bligh)
Thu Jul 31 04:36:28 1997
To: "Jordyn A. Buchanan" <jordyn@bestweb.net>
cc: "Alex.Bligh" <amb@xara.net>, cisco-nsp@cic.net, nanog@merit.edu
In-reply-to: Your message of "Wed, 30 Jul 1997 15:47:26 EDT."
<v0310281cb00548bcef8f@[208.197.0.27]>
Date: Thu, 31 Jul 1997 09:32:22 +0100
From: "Alex.Bligh" <amb@xara.net>
> At 7:56 PM +0100 7/30/97, Alex.Bligh wrote:
> >Urm, 192.41.177.255 is the MAE-East LAN ?! Are you saying attacks are
> >being mounted from here or people are attacking this LAN (not
> >sure which is more worrying)
>
> The LAN is being used indirectly to attack another network. Pings are
> spoofed as originating from the machine that is being attacked and sent to
> the broadcast address on another network. This causes every machine on the
> receiving network to send an ECHO_RESPONSE to the machine being attacked,
> esentially creating a huge multiplying effect on a ping flood attack.
>
> Apparently, the MAE-East LAN is one of the networks that attackers are
> using to flood other hosts.
Right. Well that's how I read it too. And just to make sure this thread
is indeed operations related, I'll make the following points:
1. Send a Cisco enough (a thousand a second) ICMP ECHO REQUESTS, and
it takes CPU to 99% and drops all BGP sessions. Tested on a C7010.
2. Various routers on MAE-East have been mysteriously clearing all their
BGP peers over the past week or two.
3. The attack mentioned causes a lot of ICMP ECHO REQUESTS to be sent
to Cisco routers on MAE-East.
Are these facts by any chance related? I think we should be told. Or,
urm, find out. On with that logging ACL.
Alex Bligh
Xara Networks
