North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [nsp] known networks for broadcast ping attacks

  • From: Jon Lewis
  • Date: Mon Aug 11 23:57:24 1997

On Mon, 11 Aug 1997, Rick Watson wrote:

> This does not solve the entire problem. We have been the victim of
> such an attack for the last several days. The attack is using up about
> 7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets
> at the router we control only prevents the target host from seeing the
> ping replies, but does not recover the portion of our circuit occupied
> by the ping replies, or of Sprint's backbone circuits, or of other
> provider's circuits in the path, etc.

FDT has also been the target of such attacks recently.  You know the
senario.  Some kid on IRC wants to own a channel, so he runs a script that
pings the broadcast address of a few dozen networks claiming a source
address of our IRC server...so we get hit so hard with icmp echo replies
that UUNet's Cascade switch starts burping such that the end result is we
get alternating [roughly] 0.5s bursts of silence / echo reply storms, and
no useful traffic comes through our T1.  I have about 1.5mb of tcpdump
data displaying this from an attack yesterday, and it happened again
today.

Fortunately, they usually do this only breifly.  I'm probably going to
tell our IRC admin to pull us off the IRC network.  The only other viable
option I can think of would be to ask UUNet to block all icmp for our
network, and I don't want that. 

------------------------------------------------------------------
 Jon Lewis <[email protected]>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____