ISP's who filter ICMP during DoS?

David Schwartz davids at webmaster.com
Thu Jun 28 22:58:14 UTC 2001



	Filtering ICMP packets in DDoS attacks just makes the attacker attack
harder. It's not a useful strategy except when protecting very slow links
(T1 to 10Mbps) against very light attacks (32Mbps or less). The last few
DDoS attacks I've tried to filter have resulted in attacks so significant
there was nothing you could do at all. You will prompt a series of
escalations this way.

	One new trick if the attacker can spoof is to take out a server on port 123
for IP 1.2.3.4 by swamping you with spoofed TCP SYN packets to that IP and
port. The source IPs tend to be chosen from areas rich in major government
and military sites. Filter them and the server is offline. Reply to them,
and you are flooding thousands of innocent victims (with powerful response
tactics) with unsolicited SYN ACK replies.

	If the attacker can't spoof, the sources are usually tracked and shutdown.
Filtering just makes it so that you can't do the tracking and shutting down.
So what's the good?

	Perhaps other people's experiences differ from mine.

	DS




More information about the NANOG mailing list