Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Ping flooding (fwd)

  • From: George Eddy
  • Date: Mon Jul 08 20:37:38 1996
  • Posted-date: Mon, 8 Jul 96 17:39:18 PDT

According to: Michael Dillon
> 
> Are there any procedures in place to track down this kind of network
> abuse. In particular, is it possible that it is a stealth attack?
> Before you answer, take note that this is going to appear in Bob
> Metcalfe's column next week.
> 

what is, how to forge a ping attack expiditing the eminent death of
the net?  :)

> ---------- Forwarded message ----------
> Date: Mon, 8 Jul 1996 15:30:43 -0600 (MDT)
> From: Kevin Rosenberg <kevin@cyberport.com>
> Reply-To: inet-access@earth.com
> To: inet-access@earth.com
> Subject: Re: Ping flooding
> Resent-Date: Mon, 8 Jul 1996 15:30:53 -0600 (MDT)
> Resent-From: inet-access@earth.com
> 
> > Some months later we had an incident of massive amounts of forged email
> > from a site called SUNSETDIRECT.COM.  For several weeks they sent forged
> 
> We are currently undergoing a ping flood attack, though our upstream
> provider has filtered icmp from the host so the flood is no longer
> affecting our T1 line.
> 
> The system administrator of the site that appears to be flooding us
> doesn't believe his site is the source of the attack. He states that he
> can't see the icmp packets, though I don't know how he is sniffing his
> wire. 
> 
> My questions are these: 
> 
> Is it possible for someone to forged the source IP address of an icmp
> packet?
> 
> If so, do they have to be in some routing proximity, or can they forge the
> source address while they are connected from anywhere in the world?
> 
> Thanks!
>

yes, forging a ping attack is pretty easy and can be done from
anywhere with any source address (of course, who knows where the
responses will end up), the routing proximity is irrelavant, since the
source is not looked at (unless filters have been put in place, such
as what the upstream provider has apparently done).

the only _I can think of_ in tracking it down, would be to backtrack
the possible paths into the router.  either by sniffing the possible
lines coming into router, or by temporarily disabling icmp echo reqs.
from all but one incoming line, until you've found the offending line,
continuing back.

of course this may be impossible in many cases since you probably
don't have access to the equipment (or cooperation) outside of your
domain. 

> --------------------------------------------------------------------
> Kevin Rosenberg             | CyberPort Station
> Chief System Administrator  | The Finest Internet Service Possible!
> kevin@cyberport.com         | http://www.cyberport.com
>           Finger kevin@cyberport.com for PGP Public Key
> --------------------------------------------------------------------
> 
> 
> ============================== ISP Mailing List ==============================
> Email ``unsubscribe'' to inet-access-request@earth.com to be removed.
> Do not post flames to the list -- if you must flame, use private email.
> 

-- 

- rusty

eddy@isi.edu
- - - - - - - - - - - - - - - - -




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.