ICMP Attacks???????

Jon Lewis jlewis at inorganic5.fdt.net
Fri Aug 22 05:55:02 UTC 1997

On Thu, 21 Aug 1997, Alex "Mr. Worf" Yuriev wrote:

> > Short of fixing every network on the internet, does anyone have any useful
> > advice for what to do when smurfed?  This happened to an FDT customer last
> > night, and it had our T1 (according to uunet) at about 500% capacity.
> > Obviously, until the attack stopped, our T1 wasn't too useful.  I'm about
> > >< close to just asking uunet to block all icmp echo replies from coming
> > into FDT...but I know customers will complain.
> Then they will start blasting UDP at you. Trust me, T1 is not that bad. We
> periodically have DS-3s eaten up completely but it happens for such a
> short time that it cannot really be traced :(

Perhaps.  The trouble is, when we get smurfed, our T1 becomes totally
useless.  While talking to UUNet and Cisco about the problem, Cisco
suggested traffic shaping on the UUNet 7500 we connect to.  If they did
that, and told the 7500 not to send >1.5mb/s for us to the cascade, then
would the 7500 be smart enough to prioritize the packets such that the
icmp get dropped and tcp and udp go through?  The main problem, AFAICT, is
that the cascade deals very badly with the situation where it has 7mb/s of
traffic for a 1.5mb/s pipe.  UUNet did not seem terribly receptive to the

 Jon Lewis <jlewis at fdt.net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

More information about the NANOG mailing list