North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ICMP Attacks???????

  • From: Jon Lewis
  • Date: Fri Aug 22 02:12:00 1997

On Thu, 21 Aug 1997, Alex "Mr. Worf" Yuriev wrote:

> > Short of fixing every network on the internet, does anyone have any useful
> > advice for what to do when smurfed?  This happened to an FDT customer last
> > night, and it had our T1 (according to uunet) at about 500% capacity.
> > Obviously, until the attack stopped, our T1 wasn't too useful.  I'm about
> > >< close to just asking uunet to block all icmp echo replies from coming
> > into FDT...but I know customers will complain.
> Then they will start blasting UDP at you. Trust me, T1 is not that bad. We
> periodically have DS-3s eaten up completely but it happens for such a
> short time that it cannot really be traced :(

Perhaps.  The trouble is, when we get smurfed, our T1 becomes totally
useless.  While talking to UUNet and Cisco about the problem, Cisco
suggested traffic shaping on the UUNet 7500 we connect to.  If they did
that, and told the 7500 not to send >1.5mb/s for us to the cascade, then
would the 7500 be smart enough to prioritize the packets such that the
icmp get dropped and tcp and udp go through?  The main problem, AFAICT, is
that the cascade deals very badly with the situation where it has 7mb/s of
traffic for a 1.5mb/s pipe.  UUNet did not seem terribly receptive to the

 Jon Lewis <[email protected]>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______ for PGP public key____