|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ICMP Attacks???????
> One idea that I've had would be to have a tool which can poll your routers > for SNMP stats on ICMP traffic and analyze them based on normal ICMP > traffic levels to detect where an unusually large number of ICMP packets > are entering your network. This probably needs some assisitance from the > researchers who study traffic stats to determine the baseline for what is > normal, or perhaps to tell us that there is no absolute baseline and we > need a tool to analyze our networks specifically to dynamically determine > the baseline. This also assumes that ping floods are aberrant events, i.e. > they do not occur so often that they appear to be the normal state of > affairs. And it also assumes that during a ping flood attack even if the > source addresses are spoofed, nevertheless the stream of packets all follow > the same route and all originate on the same LAN. I think it's critical that routers be capable of logging the hardware addresses of ICMP, along with source addresses, so that these attacks can be traced across shared media at exchanges. As it is now, it's hard enough to trace it back across a backbone, but if it crosses a MAE, it's perfectly anonymous unless new techniques are around that we aren't aware of. Josh Beck [email protected] ---------------------------------------------------------------------- CONNECTNet INS, Inc. Phone: (619)450-0254 Fax: (619)450-3216 6370 Lusk Blvd., Suite F-208 San Diego, CA 92121 ----------------------------------------------------------------------
|