North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Ping flooding (fwd)

  • From: Daniel W. McRobb
  • Date: Mon Jul 08 23:23:37 1996
  • Company: ANS
  • Location: ANS Network Services, Ann Arbor, MI
  • Position: Staff Engineer

> On Mon, 8 Jul 1996, George Eddy wrote:
> 
> > yes, forging a ping attack is pretty easy and can be done from
> > anywhere with any source address (of course, who knows where the
> > responses will end up), the routing proximity is irrelavant, since the
> > source is not looked at (unless filters have been put in place, such
> > as what the upstream provider has apparently done).
> > 
> > the only _I can think of_ in tracking it down, would be to backtrack
> > the possible paths into the router.  either by sniffing the possible
> > lines coming into router, or by temporarily disabling icmp echo reqs.
> > from all but one incoming line, until you've found the offending line,
> > continuing back.
> > 
> > of course this may be impossible in many cases since you probably
> > don't have access to the equipment (or cooperation) outside of your
> > domain. 
> 
> OK. So what if somebody is currently planning a ping battle on the global
> Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all
> roll over and play dead?
> 
> If I were to crosspost this reply to alt.2600 it wouldn't take long to
> happen you know. BTW, I won't be crossposting it there, but you get the
> idea, security by obscurity, etc...

I'm quite certain that tons of people know about these kinds of attacks
and how to implement them (as well as defend against them).  alt.2600
can't possibly be so far behind the times as to not know about forging
headers and the possibilities, regardless of whether or not it's ICMP
traffic we're talking about.  Denial of service attacks are very old in
theory and in practice.  This is not a security by obscurity issue at
all.

> Is anyone working on tools to help NSP's quickly backtrack this kind of
> thing?

The problem is not really a technical one.  It's administrative.  It's
much more of a headache to backtrack through 30 routers that aren't in
your own network than to backtrack to the ingress to your own network
domain and filter it out there (which is the typical response to this
kind of thing).  Getting everyone in the path to cooperate with
backtracking is difficult in many instances, impossible in others.  And
that doesn't even take into account the cases where an attacker has
multiple paths into your network and is using multiple forged source
addresses, much less the fact that the attacker can turn off the attack
when he/she chooses, thwarting your effort to track them.  Typically a
denial of service attack is used to leverage an attack on something more
interesting than just pure denial of service.  So the denial of service
often stops once the attacker has managed to get access to what he/she
was really looking for (which is not usually something as uninteresting
as ICMP echo requests or attempts to consume a lot of resources with
such traffic; there are often better means of making someone's leased
line and host machines be consumed than sending ICMP messages).

Daniel
~~~~~~
- - - - - - - - - - - - - - - - -