Security Incidents mailing list archives

Re: DOS by Flooding a Network

From: "W.G. Iyer" <guhan777 () yahoo com>
Date: Mon, 17 Jun 2002 17:42:33 -0700 (PDT)

Greetings,

For starters you can disable all ICMP services except 
source-quench, paramter-problem,
destination-unreachable, and time-exceeded at your
border router or firewall. 

If this doesn't alleviate the problem, then you need
to identify the type of ICMP datagrams that are being
sent, you can do with a simple sniffer like tcpdump,
and then block that particular ICMP packet type. Note
I don't want to go into the merits or pitfalls of
disabling ICMP, but there are good arguments made for
both cases.

Finally I would highly reccomend adding a stateful
packet filter between your ISP and your network, take
a look at netfilter.org, so you don't "have to weather
the storm" or whatever else your ISP has in store for
you. This will allow you to have a much tighter
control over the traffic entering your network as well
as traffic orininating from your network. 

Hope this helps,
Guhan

--- Richard Ginski <rginski () co pinellas fl us> wrote:

This past weekend, we experienced the periodic
flooding of our network.
The flooding caused our network to be inaccessible.
The traffic has
mainly been ICMP: large quantities of large spoofed
packets...similar to
"ping-of-death. Appropriate patching has been
applied so the actual
attach does not shut anything down. However, it does
succeed in flooding
of our network rendering it inaccessible.

We are trying to figure out a way, if any, to
mitigate this attack from
flooding our network in the future. We tried to
coordinate with our ISP
upstream but they say they can't do anything....and
we feel sending
resets on our end would be useless and ineffective.
We are trying to
figure out a way to eliminate the "choke point" or
"bottle neck" when
the attacks occur. I feel we should be able to do
something better than
just "weathering the storm".


Any suggestions?

TIA

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DOS by Flooding a Network Richard Ginski (Jun 17)
- Re: DOS by Flooding a Network jlewis (Jun 17)
  - New script-kiddie looking scan Jeff Kell (Jun 18)
    - Re: New script-kiddie looking scan Luis Bruno (Jun 18)
    - Re: New script-kiddie looking scan zeno (Jun 18)
    - Re: New script-kiddie looking scan Chris Ess (Jun 18)
    - Re: New script-kiddie looking scan Alain Fauconnet (Jun 18)
    - Re: New script-kiddie looking scan Steffen Dettmer (Jun 19)
    - Re: New script-kiddie looking scan Russell Fulton (Jun 18)
- Re: DOS by Flooding a Network Skip Carter (Jun 17)
- Re: DOS by Flooding a Network W.G. Iyer (Jun 17)
  - Re: DOS by Flooding a Network Vitaly Osipov (Jun 18)
- <Possible follow-ups>
- Re: DOS by Flooding a Network Richard Ginski (Jun 18)
- RE: DOS by Flooding a Network Mike Hrubes (Jun 18)
- RE: DOS by Flooding a Network David Vincent (Jun 18)