[11753] in North American Network Operators' Group
Re: [nsp] known networks for broadcast ping attacks
daemon@ATHENA.MIT.EDU (Rick Watson)
Mon Aug 11 23:09:05 1997
From: Rick Watson <rick@akbar.cc.utexas.edu>
To: feh@netstat.net (Netstat Webmaster)
Date: Mon, 11 Aug 1997 21:57:31 -0500 (CDT)
Cc: snash@lightning.net, amb@xara.net, nanog@merit.edu
In-Reply-To: <Pine.BSI.3.91.970730164810.5940B-100000@wwwlab.com> from "Netstat Webmaster" at Jul 30, 97 04:57:34 pm
Netstat Webmaster wrote:
> [some text omitted]
> The real problem I see with this particular attack is that there is
> nothing short of blocking all ICMPs that 'victim.com' can do. At least
> not that I am aware of.
>
> Regards,
> Tripp
>
> webmaster@http://www.netstat.net
This does not solve the entire problem. We have been the victim of
such an attack for the last several days. The attack is using up about
7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets
at the router we control only prevents the target host from seeing the
ping replies, but does not recover the portion of our circuit occupied
by the ping replies, or of Sprint's backbone circuits, or of other
provider's circuits in the path, etc.
The filters need to be higher up the chain. EVERYONE needs to install
anti-spoof filters.
I'd prefer not to be forced to filter out all pings. Everyone
filtering out ICMP packets means there is a 100% successful denial of
service attack on what is otherwise a very useful debugging tool
(ping).
Rick Watson
The University of Texas, ACITS Networking Services
r.watson@utexas.edu
