ICMP Attacks???????

Network Admin Account nacr at gate.net
Fri Aug 15 14:14:15 UTC 1997


Thanks...how if someone ping attacks the web server and then spoofs the IP
address of the web server to attack someone else.  We had that happened
and we did use a sniffer and got tons of information from it, but the
IP addresses that we were there were from other places(like schools, other
ISP, etc..etc..)...the person probrably ping the broadcast address of some
other sites and got valid addresses and then ping attacked us.  Have you
recently experienced this???? we're trying to track down the person, but
its very difficult...any ideas...

On Fri, 15 Aug 1997, Joe  Shaw wrote:

> On Fri, 15 Aug 1997, Network Admin Account wrote:
> > 
> > Has anyone been resently attacked by massive flood pings??????  We are
> > trying to locate any other ISP's or anyone else having the same problem. 
> Ping floods are quite possibly the single most common form of attempted
> denial of service attacks.  If someone is ping flooding you, plug a
> sniffer into the the ethernet and take a look at the where they're coming
> from.  Or, if you know what host on your network is under attack, a simple
> netstat will show you the open connections at that time.  If you're lucky,
> it's just some clueless person doing a ping -f or similar.  Or, you're
> being attacked by the smurf.c program (or similar) that forges icmp
> packets with your  source address to broadcast addresses and then you get
> flooded by the replies.  I'd just go to a few of your machines and do a
> netstat on them, then dump the data to a file and see if you can see where
> all the ICMP packets are coming from.  When you find out, it's time to get
> on the horn and talk to the Administrative and Technical contact for the
> domain.  Also, it might not be a bad idea to deny ICMP at your router.
> This can be done by adding a line like this to your cisco access-list:
> access-list 101 permit icmp any host
> access-list 101 permit icmp any host
> access-list 101 deny icmp any
> access-list 101 permit ip any any   
> the permit lines allow people from the outside (or whatever other
> interface(s) we apply this access list to) to still ping some sites.  All
> icmp traffic to others is denied.
> I don't mean to insult your intelligence if you already knew this, but I
> figured if you didn't know it, you might want to.  And, we haven't
> experienced any ping flood recently that I can think of (the access-list
> did help).
> Joe Shaw - jshaw at insync.net
> NetAdmin - Insync Internet Services

More information about the NANOG mailing list