Re: Getting PING bombed...

North American Network Operators Group
Re: Getting PING bombed...

From: Jared Mauch
Date: Sat Oct 18 12:59:53 1997
	The warning of doing this is be sure you're running code that 
doesn't generate icmp administrativeley prohibited messages for each packet
denied, else that will melt down your router cpu

	(No router-wars here folks)

	- Jared

Jamie Rishaw boldly claimed:
> access-list 123 deny icmp host 130.89.29.52 any echo
> access-list 123 permit ip any any
> interface HSSIx/x
>  ip access-group 123 in
> 
> ..have your upstream do the same, out.
> 
> Doug Davis wrote:
> > 
> > Hello all.
> > 
> > We are getting ping bombed by the site `donantonio.wb.utwente.nl`
> > the attack is coming thru our uunet connection and is consuming
> > about 20% of our DS3.  It is directed at one of our 28.8 dialup
> > ports.
> > 
> > Email to the listed site contact fails with "Resource unavailable"
> > 
> > Does anyone have a contact address for these folks? Even though we've
> > blocked them at the router, my customers would really like them to stop
> > now so we can have the rest of the DS3.
> > 
> > 23:30:52.396533 130.89.29.52 > 206.66.5.134: (frag 35152:[email protected])
> > 23:30:52.398484 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35153:[email protected]+)
> > 23:30:52.399460 130.89.29.52 > 206.66.5.134: (frag 35153:[email protected])
> > 23:30:52.402386 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35154:[email protected]+)
> > 23:30:52.404337 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35155:[email protected]+)
> > 23:30:52.404337 130.89.29.52 > 206.66.5.134: (frag 35155:[email protected])
> > 23:30:52.408240 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35156:[email protected]+)
> > 23:30:52.408240 130.89.29.52 > 206.66.5.134: (frag 35156:[email protected])
> > 23:30:52.411166 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35157:[email protected]+)
> > 23:30:52.411166 130.89.29.52 > 206.66.5.134: (frag 35157:[email protected])
> > 23:30:52.413118 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35158:[email protected]+)
> > 23:30:52.413118 130.89.29.52 > 206.66.5.134: (frag 35158:[email protected])
> > 23:30:52.415069 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35159:[email protected]+)
> > 23:30:52.416044 130.89.29.52 > 206.66.5.134: (frag 35159:[email protected])
> > 23:30:52.418971 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35160:[email protected]+)
> > 23:30:52.419946 130.89.29.52 > 206.66.5.134: (frag 35160:[email protected])
> > 23:30:52.420922 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35161:[email protected]+)
> > 23:30:52.420922 130.89.29.52 > 206.66.5.134: (frag 35161:[email protected])
> > 23:30:52.425800 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35163:[email protected]+)
> > 23:30:52.425800 130.89.29.52 > 206.66.5.134: (frag 35163:[email protected])
> > 23:30:52.428727 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35165:[email protected]+)
> > 23:30:52.428727 130.89.29.52 > 206.66.5.134: (frag 35165:[email protected])
> > 23:30:52.431653 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35167:[email protected]+)
> > 23:30:52.431653 130.89.29.52 > 206.66.5.134: (frag 35167:[email protected])
> > 23:30:52.434580 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35168:[email protected]+)
> > 23:30:52.434580 130.89.29.52 > 206.66.5.134: (frag 35168:[email protected])
> > 23:30:52.436531 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35169:[email protected]+)
> > 23:30:52.436531 130.89.29.52 > 206.66.5.134: (frag 35169:[email protected])
> > 23:30:52.439458 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35170:[email protected]+)
> > 23:30:52.439458 130.89.29.52 > 206.66.5.134: (frag 35170:[email protected])
> > 23:30:52.445311 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35173:[email protected]+)
> > 23:30:52.446287 130.89.29.52 > 206.66.5.134: (frag 35173:[email protected])
> > 23:30:52.449213 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35174:[email protected]+)
> > 23:30:52.449213 130.89.29.52 > 206.66.5.134: (frag 35174:[email protected])
> > 23:30:52.451164 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35175:[email protected]+)
> > 23:30:52.451164 130.89.29.52 > 206.66.5.134: (frag 35175:[email protected])
> > 23:30:52.453116 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35177:[email protected]+)
> > 23:30:52.453116 130.89.29.52 > 206.66.5.134: (frag 35177:[email protected])
> > 23:30:52.456042 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35178:[email protected]+)
> > 23:30:52.457993 130.89.29.52 > 206.66.5.134: icmp: echo request (frag 35179:[email protected]+)
> > [...]
> > 
> > 
> 
> 
> -- 
> jamie g.k. rishaw  dal/efnet:gavroche  __    IAGnet/CICNet/netILLINOIS Netops
> DID:216.902.5455 FAX:216.623.3566      \/            800.637.4IAGx5455
> "No. I'm *not* going to walk a nun through a router config." [email protected]
>                Forget regret, or life is yours to miss -- RENT
> 


-- 
  ----------------- [email protected] - Nether Network ------------------
       CICNet/IAGNet/NetherNet - finger [email protected] for pgp key
Follow-Ups:
- Re: Getting PING bombed... Craig A. Huegen
References:
- Re: Getting PING bombed... Jamie Rishaw
Prev by Date: Re: Getting PING bombed...
Next by Date: Re: Getting PING bombed...
Date Index
Thread Index
Author Index
Historical