|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ICMP Attacks???????
>> Has anyone been resently attacked by massive flood pings?????? We are >> trying to locate any other ISP's or anyone else having the same problem. >flooded by the replies. I'd just go to a few of your machines and do a >netstat on them, then dump the data to a file and see if you can see where >all the ICMP packets are coming from. When you find out, it's time to get And just how do you identify the source of the ICMP packets when the source address is forged? All too often when a customer calls to report this sort of problem to their upstream provider, the source of the traffic is traced to the shared media at an IXP and this, only after some laborious effort by the NOC staff of the upstream network provider. It is really hard to trace ICMP floods past the IXP shared media. I'm not sure what can be done to make this easier but I have a few ideas. IMHO this is an important problem to solve because ICMP does some useful things so that most of us don't want to simply turn it off in our networks entirely. But we do need some tools and/or knobs in the routers to help us track down the source of these floods quickly and effortlessly. One idea that I've had would be to have a tool which can poll your routers for SNMP stats on ICMP traffic and analyze them based on normal ICMP traffic levels to detect where an unusually large number of ICMP packets are entering your network. This probably needs some assisitance from the researchers who study traffic stats to determine the baseline for what is normal, or perhaps to tell us that there is no absolute baseline and we need a tool to analyze our networks specifically to dynamically determine the baseline. This also assumes that ping floods are aberrant events, i.e. they do not occur so often that they appear to be the normal state of affairs. And it also assumes that during a ping flood attack even if the source addresses are spoofed, nevertheless the stream of packets all follow the same route and all originate on the same LAN. Obviously, any solution to tracking these attacks will require a certain level of cooperation from all providers but I think it is in all our best interests to work on this because in the end it will save us from a lot of headaches and help all of us in our customer relationships. ******************************************************** Michael Dillon voice: +1-650-482-2840 Senior Systems Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." ********************************************************
|