ICMP Attacks???????

Steve Carter scarter at genuity.net
Tue Aug 19 06:25:58 UTC 1997

	As Alex said earlier, we have experienced(?) a few ping floods
recently, and it is very difficult to use technology to trace the real
culprit, because you would have to follow the L2 signature (router ARP
tables at every hop, show ip arp, on a Cisco) through the Internet to
the source which means that you would have to have privs (or cooperate
with engineers) on all the transit networks that the culprit uses.  By
the time this is in place the flood has usually stopped and then we are
SOL >:)

	I would suggest that you interview the specific person targeted
(if there is one) and ask, in good old Colombo style, 'Did the deceased
have any enemies that you know of?'  You never know!  Knowing/suspecting
is not enough and tangible proof is a different thing however!

> Does anyone have any ideas from where its coming from????  We have had
> no
> luck with this at all????
> On Fri, 15 Aug 1997, Alex Rubenstein wrote:
> > 
> > Yes. It was interesting. My understanding is that what I am about to
> tell
> > you is old news, but here:
> > 
> > Attacker sends a packet with a source address of the victim, with a
> dest
> > address to the broadcast of a (pick any) network. Every machine on
> the
> > network will then respond with a ICMP reply to the 'source' (the
> victim).
> > 
> > My understanding is that a 28.8 users could easily fill a T1 (or
> more)
> > with this method. We have no proof, but someone did this to us from
> what
> > appears to be a ISDN account from PSI, and filled 6 - 7 mb/s of our
> > Ethernet genuity connection in doing so. It was *not* cool.
> > 
> > 
> > On Fri, 15 Aug 1997, Network Admin Account wrote:
> > 
> > > 
> > > Has anyone been resently attacked by massive flood pings??????  We
> are
> > > trying to locate any other ISP's or anyone else having the same
> problem. 
> > > 
> > > 
> > 

More information about the NANOG mailing list