ICMP Attacks???????

Fri Aug 15 14:06:39 UTC 1997

On Fri, 15 Aug 1997, Network Admin Account wrote:

> 
> Has anyone been resently attacked by massive flood pings??????  We are
> trying to locate any other ISP's or anyone else having the same problem. 

Ping floods are quite possibly the single most common form of attempted
denial of service attacks.  If someone is ping flooding you, plug a
sniffer into the the ethernet and take a look at the where they're coming
from.  Or, if you know what host on your network is under attack, a simple
netstat will show you the open connections at that time.  If you're lucky,
it's just some clueless person doing a ping -f or similar.  Or, you're
being attacked by the smurf.c program (or similar) that forges icmp
packets with your  source address to broadcast addresses and then you get
flooded by the replies.  I'd just go to a few of your machines and do a
netstat on them, then dump the data to a file and see if you can see where
all the ICMP packets are coming from.  When you find out, it's time to get
on the horn and talk to the Administrative and Technical contact for the
domain.  Also, it might not be a bad idea to deny ICMP at your router.
This can be done by adding a line like this to your cisco access-list:

access-list 101 permit icmp any host 204.253.208.20
access-list 101 permit icmp any host 204.253.208.10
access-list 101 deny icmp any 204.253.208.0 0.0.0.255
access-list 101 permit ip any any   

the permit lines allow people from the outside (or whatever other
interface(s) we apply this access list to) to still ping some sites.  All
icmp traffic to others is denied.

I don't mean to insult your intelligence if you already knew this, but I
figured if you didn't know it, you might want to.  And, we haven't
experienced any ping flood recently that I can think of (the access-list
did help).

Joe Shaw - jshaw at insync.net
NetAdmin - Insync Internet Services