Ping flooding (fwd)
Paul A Vixie
paul at vix.com
Tue Jul 9 02:42:28 UTC 1996
>OK. So what if somebody is currently planning a ping battle on the global
>Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all
>roll over and play dead?
Sounds sort of like the day they put Peter Gabriel on MBONE.
word, and unfortunately, yes. See more below.
> Before you answer, take note that this is going to appear in Bob
> Metcalfe's column next week.
In a word, and fortunately, no. See more on last line.
> We are currently undergoing a ping flood attack, though our upstream
> provider has filtered icmp from the host so the flood is no longer
> affecting our T1 line.
You should thank them for this, as it is pretty much your only recourse
> The system administrator of the site that appears to be flooding us
> doesn't believe his site is the source of the attack. He states that he
> can't see the icmp packets, though I don't know how he is sniffing his
Provided that he has a single broadcast LAN segment (e.g., an ethernet
segment on a dumb hub) feeding into his network feed (T1 or whatever),
then he could use tcpdump or Solaris' snoop to check for ICMP packets.
> My questions are these:
> Is it possible for someone to forged the source IP address of an icmp
Trivially so, yes.
> If so, do they have to be in some routing proximity, or can they forge the
> source address while they are connected from anywhere in the world?
To answer this question, think about how your Internet gateway works.
When it receives an outgoing packet, what does it do? It examines the
destination header and makes a decision as to which interface to forward
it onto. If it is destined for network X, then it consults its routing
table and merrily forwards the packet.
If you have a very restrictive security policy, then you might want to
place a packet filter on all outgoing traffic. If your network is
10.1.1.64/26, then you might have the following two rules:
action source destination
------ ------ -----------
allow 10.1.1.64/26 *
deny * *
Of course, no one does this, because it is very time consuming for your
router to examine every packet in this way. This translates into more
marginal cost on your hardware for very little return.
Say that person X, the person who owns the network from which these pings
are apparently originating, did have such a filter. What does this do?
It proves that the packets are not originating on his network. Does it
stop anyone else from forging these packets? No.
The attacker, Y, might have a machine on someone else's network. If they
do not have a similar rule on their routers connecting to the global
network (again, most people don't), then these packets will simply be
routed to their destination.
But say that Y is not a guest on someone else's network. Say he has a T1
from, e.g., MCI. At the router on MCI's end of the T1, do they have one
of these filters to prevent such impersonations? Probably not.
And why would they? It would be very expensive (the leased line business
is very competitive), and the only thing it would do is potentially annoy
the customer. If they are mistakenly placing the wrong return address on
their packets, then they will figure it out very quickly; all return
traffic from any network sessions they establish will be sent to another
network. Zippo, no WWW, no mail, etc.
In other words, the attacker could be anywhere in the world. The only
way to track him down would be for your ISP to put monitors at all of
their interconnect points with other networks. Once they figure out the
point at which the traffic is entering their network, then _that_ network
would have to place monitors on all of _their_ connect points.
Eventually, you could track it down this way. I don't think that you
would be very successful convincing the various networks to cooperate,
Your provider did a very nice thing by stopping all ICMP packets. You
should make it publicly known that they are doing so, in the hopes that
whoever is doing this will tire of using all their bandwidth to bombard
you. (Until they do so, your ISP will continue to absorb the cost of
transporting all this traffic to your doorstep and /dev/nulling it.)
If they ever start forging packets to your www server|port 80, you will be
royally screwed. Be glad that your attacker is stupid, because they
appear to be rich and patient (assuming it really is a forged address.)
It probably isn't forged. Ask for more details from the suspect's network
administrator. If he continues to be uncooperative, call the upstream
provider of the apparent offender and ask them to monitor the suspect's
line. This qualifies as definite antisocial behaviour.
Todd Graham Lewis Core Engineering Mindspring Enterprises
tlewis at mindspring.com (Standard Disclaimers) (800) 719 4664, x2804
(Copyright 1996 Todd Lewis, All Rights Reserved.)
More information about the NANOG