Ping flooding (fwd)

Paul A Vixie paul at
Tue Jul 9 02:42:28 UTC 1996

>OK. So what if somebody is currently planning a ping battle on the global
>Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all
>roll over and play dead?

Sounds sort of like the day they put Peter Gabriel on MBONE.

word, and unfortunately, yes.  See more below.

> Before you answer, take note that this is going to appear in Bob
> Metcalfe's column next week.

In a word, and fortunately, no.  See more on last line.

> We are currently undergoing a ping flood attack, though our upstream
> provider has filtered icmp from the host so the flood is no longer
> affecting our T1 line.

You should thank them for this, as it is pretty much your only recourse

> The system administrator of the site that appears to be flooding us
> doesn't believe his site is the source of the attack. He states that he
> can't see the icmp packets, though I don't know how he is sniffing his
> wire. 

Provided that he has a single broadcast LAN segment (e.g., an ethernet 
segment on a dumb hub) feeding into his network feed (T1 or whatever), 
then he could use tcpdump or Solaris' snoop to check for ICMP packets.

> My questions are these: 
> Is it possible for someone to forged the source IP address of an icmp
> packet?

Trivially so, yes.

> If so, do they have to be in some routing proximity, or can they forge the
> source address while they are connected from anywhere in the world?

To answer this question, think about how your Internet gateway works.  
When it receives an outgoing packet, what does it do?  It examines the 
destination header and makes a decision as to which interface to forward 
it onto.  If it is destined for network X, then it consults its routing 
table and merrily forwards the packet.

If you have a very restrictive security policy, then you might want to 
place a packet filter on all outgoing traffic.  If your network is, then you might have the following two rules:

action      source        destination
------      ------        -----------

allow  *
deny        *             *

Of course, no one does this, because it is very time consuming for your 
router to examine every packet in this way.  This translates into more 
marginal cost on your hardware for very little return.

Say that person X, the person who owns the network from which these pings 
are apparently originating, did have such a filter.  What does this do?  
It proves that the packets are not originating on his network.  Does it 
stop anyone else from forging these packets?  No.

The attacker, Y, might have a machine on someone else's network.  If they 
do not have a similar rule on their routers connecting to the global 
network (again, most people don't), then these packets will simply be 
routed to their destination.

But say that Y is not a guest on someone else's network.  Say he has a T1 
from, e.g., MCI.  At the router on MCI's end of the T1, do they have one 
of these filters to prevent such impersonations?  Probably not.

And why would they?  It would be very expensive (the leased line business 
is very competitive), and the only thing it would do is potentially annoy 
the customer.  If they are mistakenly placing the wrong return address on 
their packets, then they will figure it out very quickly; all return 
traffic from any network sessions they establish will be sent to another 
network.  Zippo, no WWW, no mail, etc.

In other words, the attacker could be anywhere in the world.  The only 
way to track him down would be for your ISP to put monitors at all of 
their interconnect points with other networks.  Once they figure out the 
point at which the traffic is entering their network, then _that_ network 
would have to place monitors on all of _their_ connect points.  
Eventually, you could track it down this way.  I don't think that you 
would be very successful convincing the various networks to cooperate, 

Your provider did a very nice thing by stopping all ICMP packets.  You 
should make it publicly known that they are doing so, in the hopes that 
whoever is doing this will tire of using all their bandwidth to bombard 
you.  (Until they do so, your ISP will continue to absorb the cost of 
transporting all this traffic to your doorstep and /dev/nulling it.)

If they ever start forging packets to your www server|port 80, you will be 
royally screwed.  Be glad that your attacker is stupid, because they 
appear to be rich and patient (assuming it really is a forged address.)

> Thanks!

You're welcome.


It probably isn't forged.  Ask for more details from the suspect's network
administrator.  If he continues to be uncooperative, call the upstream
provider of the apparent offender and ask them to monitor the suspect's
line.  This qualifies as definite antisocial behaviour.

Todd Graham Lewis        Core Engineering      Mindspring Enterprises
tlewis at  (Standard Disclaimers)   (800) 719 4664, x2804
         (Copyright 1996 Todd Lewis, All Rights Reserved.)

More information about the NANOG mailing list