ICMP Attacks???????

Michael Dillon michael at priori.net
Fri Aug 15 17:30:11 UTC 1997

>> Has anyone been resently attacked by massive flood pings??????  We are
>> trying to locate any other ISP's or anyone else having the same problem.

>flooded by the replies.  I'd just go to a few of your machines and do a
>netstat on them, then dump the data to a file and see if you can see where
>all the ICMP packets are coming from.  When you find out, it's time to get

And just how do you identify the source of the ICMP packets when the source
address is forged? All too often when a customer calls to report this sort
of problem to their upstream provider, the source of the traffic is traced
to the shared media at an IXP and this, only after some laborious effort by
the NOC staff of the upstream network provider. It is really hard to trace
ICMP floods past the IXP shared media.

I'm not sure what can be done to make this easier but I have a few ideas.
IMHO this is an important problem to solve because ICMP does some useful
things so that most of us don't want to simply turn it off in our networks
entirely. But we do need some tools and/or knobs in the routers to help us
track down the source of these floods quickly and effortlessly.

One idea that I've had would be to have a tool which can poll your routers
for SNMP stats on ICMP traffic and analyze them based on normal ICMP
traffic levels to detect where an unusually large number of ICMP packets
are entering your network. This probably needs some assisitance from the
researchers who study traffic stats to determine the baseline for what is
normal, or perhaps to tell us that there is no absolute baseline and we
need a tool to analyze our networks specifically to dynamically determine
the baseline. This also assumes that ping floods are aberrant events, i.e.
they do not occur so often that they appear to be the normal state of
affairs. And it also assumes that during a ping flood attack even if the
source addresses are spoofed, nevertheless the stream of packets all follow
the same route and all originate on the same LAN.

Obviously, any solution to tracking these attacks will require a certain
level of cooperation from all providers but I think it is in all our best
interests to work on this because in the end it will save us from a lot of
headaches and help all of us in our customer relationships.

Michael Dillon                    voice: +1-650-482-2840
Senior Systems Architect            fax: +1-650-482-2844
PRIORI NETWORKS, INC.              http://www.priori.net

"The People You Know.  The People You Trust."

More information about the NANOG mailing list