Ping flooding (fwd)
Daniel W. McRobb
dwm at ans.net
Tue Jul 9 05:21:47 UTC 1996
> On Mon, 8 Jul 1996, Daniel W. McRobb wrote:
> > The problem is not really a technical one. It's administrative. It's
> > much more of a headache to backtrack through 30 routers that aren't in
> > your own network than to backtrack to the ingress to your own network
> > domain and filter it out there (which is the typical response to this
> > kind of thing). Getting everyone in the path to cooperate with
> > backtracking is difficult in many instances, impossible in others.
> I recall that people have cooperated in the past on some sort of
> performance analysis tool that transported packets through a tunnel to
> some remote point and initiated an analysis of some sort from that point
> I believe this was done by NLANR and had something to do with vBNS.
> I don't think this is all that different. If some means existed for an NSP
> to initiate a trace on a specific source address to backtrack it to the
> real source then an easy to use tool could be built. Of course, first of
> all router vendors need to make a quick and relatively painless way to
> track down the interface that a packet comes in from, maybe
There will likely never be a means for a single NSP to track down the
real source of spoofed packets using IPv4. Service providers won't be
letting other service providers track spoofed packets through their
> set icmp-source-trace 188.8.131.52 on
> and later....
> show icmp-source-trace
> IP address Interface
> ---------- ---------
> 184.108.40.206 NO TRACE
> Note that the source trace was active for a period of time and then
> expired automatically with no new ICMP packets bearing the specified
> source address in that period of time. If this facility is available an
> easy to use tool could be built.
In the case of a spoofed-source, denial of service attack, the source
address is often of less use than the destination address/port/protocol
in tracking down the real source. The attacker just switches the source
address and walks right through your trace (or filters).
Don't get me wrong; I think packet sniffing capabilities (even in their
simplest forms) can be very useful and I wish there were more facilities
in typical routers for tracking traffic via IP header information.
> > that doesn't even take into account the cases where an attacker has
> > multiple paths into your network and is using multiple forged source
> > addresses, much less the fact that the attacker can turn off the attack
> > when he/she chooses, thwarting your effort to track them.
> No doubt about it. Being a detective is hard boring plodding work and
> sometimes you just never find the crook. But it's still worth trying.
Define worth. I live in a capitalist society where catching a criminal
is of little worth (particularly an ICMP bomber who's arguably not much
worse than a USENET spammer) in it's own right and often only worthwhile
if there's monetary compensation involved (either from a legal
settlement, reward or just recovery of service and time spent fixing
things that are broken by an attacker). :-)
More information about the NANOG