North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: ICMP Attacks???????
As Alex said earlier, we have experienced(?) a few ping floods recently, and it is very difficult to use technology to trace the real culprit, because you would have to follow the L2 signature (router ARP tables at every hop, show ip arp, on a Cisco) through the Internet to the source which means that you would have to have privs (or cooperate with engineers) on all the transit networks that the culprit uses. By the time this is in place the flood has usually stopped and then we are SOL >:) I would suggest that you interview the specific person targeted (if there is one) and ask, in good old Colombo style, 'Did the deceased have any enemies that you know of?' You never know! Knowing/suspecting is not enough and tangible proof is a different thing however! ----------------------------- > Does anyone have any ideas from where its coming from???? We have had > no > luck with this at all???? > > On Fri, 15 Aug 1997, Alex Rubenstein wrote: > > > > > Yes. It was interesting. My understanding is that what I am about to > tell > > you is old news, but here: > > > > Attacker sends a packet with a source address of the victim, with a > dest > > address to the broadcast of a (pick any) network. Every machine on > the > > network will then respond with a ICMP reply to the 'source' (the > victim). > > > > My understanding is that a 28.8 users could easily fill a T1 (or > more) > > with this method. We have no proof, but someone did this to us from > what > > appears to be a ISDN account from PSI, and filled 6 - 7 mb/s of our > > Ethernet genuity connection in doing so. It was *not* cool. > > > > > > On Fri, 15 Aug 1997, Network Admin Account wrote: > > > > > > > > Has anyone been resently attacked by massive flood pings?????? We > are > > > trying to locate any other ISP's or anyone else having the same > problem. > > > > > > > >