[nsp] known networks for broadcast ping attacks

Rick Watson rick at akbar.cc.utexas.edu
Tue Aug 12 02:57:31 UTC 1997

Netstat Webmaster wrote:
> [some text omitted]
> The real problem I see with this particular attack is that there is 
> nothing short of blocking all ICMPs that 'victim.com' can do. At least 
> not that I am aware of.
> Regards,
> Tripp
> webmaster at http://www.netstat.net

This does not solve the entire problem. We have been the victim of
such an attack for the last several days. The attack is using up about
7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets
at the router we control only prevents the target host from seeing the
ping replies, but does not recover the portion of our circuit occupied
by the ping replies, or of Sprint's backbone circuits, or of other
provider's circuits in the path, etc.

The filters need to be higher up the chain. EVERYONE needs to install
anti-spoof filters. 

I'd prefer not to be forced to filter out all pings. Everyone
filtering out ICMP packets means there is a 100% successful denial of
service attack on what is otherwise a very useful debugging tool

Rick Watson 
The University of Texas, ACITS Networking Services
 r.watson at utexas.edu

More information about the NANOG mailing list