Ping flooding

George Herbert gherbert at crl.com
Tue Jul 9 01:10:56 UTC 1996


>We are currently undergoing a ping flood attack, though our upstream
>provider has filtered icmp from the host so the flood is no longer
>affecting our T1 line.
>
>The system administrator of the site that appears to be flooding us
>doesn't believe his site is the source of the attack. He states that he
>can't see the icmp packets, though I don't know how he is sniffing his
>wire. 
>
>My questions are these: 
>
>Is it possible for someone to forged the source IP address of an icmp
>packet?

Yes, trivially.

>If so, do they have to be in some routing proximity, or can they forge the
>source address while they are connected from anywhere in the world?

Anywhere that doesn't have outbound source filtering on their net
connection... which is almost nobody.

Back when I was at UC Berkeley in the late 80s, variations on this
scheme were coded up and regularly used to interfere with other
people's network game sessions (re-routing xtrek screen updates 
through Finland, similar stunts).  The same basic concept can
be done with any source IP addr and any ICMP command (or, basically,
any IP data you want too).

It is entirely possible that the information the other sysadmin has,
that it's not coming from his net, is correct.  If so, you have to
go to your upstream and start tracing those packets back through the
WAN connections to find out where they come from.  This is doable but
not at all trivial.  However, it you see enough evidence to think it's
someone trying to take you down maliciously and not just goofing off
a bit, it is definitely worth doing the backtrack to find them.
This is a classic denial of service attack which is a computer
crime in most states and under federal computer crime laws if
the attacker is in another state from you.

-george william herbert
gherbert at crl.com







More information about the NANOG mailing list