North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [nsp] known networks for broadcast ping attacks
> At 7:56 PM +0100 7/30/97, Alex.Bligh wrote: > >Urm, 192.41.177.255 is the MAE-East LAN ?! Are you saying attacks are > >being mounted from here or people are attacking this LAN (not > >sure which is more worrying) > > The LAN is being used indirectly to attack another network. Pings are > spoofed as originating from the machine that is being attacked and sent to > the broadcast address on another network. This causes every machine on the > receiving network to send an ECHO_RESPONSE to the machine being attacked, > esentially creating a huge multiplying effect on a ping flood attack. > > Apparently, the MAE-East LAN is one of the networks that attackers are > using to flood other hosts. Right. Well that's how I read it too. And just to make sure this thread is indeed operations related, I'll make the following points: 1. Send a Cisco enough (a thousand a second) ICMP ECHO REQUESTS, and it takes CPU to 99% and drops all BGP sessions. Tested on a C7010. 2. Various routers on MAE-East have been mysteriously clearing all their BGP peers over the past week or two. 3. The attack mentioned causes a lot of ICMP ECHO REQUESTS to be sent to Cisco routers on MAE-East. Are these facts by any chance related? I think we should be told. Or, urm, find out. On with that logging ACL. Alex Bligh Xara Networks
|