Re: ICMP Attacks???????

[Josh Beck <jbeck () connectnet com>]

> One idea that I've had would be to have a tool which can poll your routers
> for SNMP stats on ICMP traffic and analyze them based on normal ICMP
> traffic levels to detect where an unusually large number of ICMP packets
> are entering your network. This probably needs some assisitance from the
> researchers who study traffic stats to determine the baseline for what is
> normal, or perhaps to tell us that there is no absolute baseline and we
> need a tool to analyze our networks specifically to dynamically determine
> the baseline. This also assumes that ping floods are aberrant events, i.e.
> they do not occur so often that they appear to be the normal state of
> affairs. And it also assumes that during a ping flood attack even if the
> source addresses are spoofed, nevertheless the stream of packets all follow
> the same route and all originate on the same LAN.

        I think it's critical that routers be capable of logging the
hardware addresses of ICMP, along with source addresses, so that these
attacks can be traced across shared media at exchanges. As it is now, it's
hard enough to trace it back across a backbone, but if it crosses a MAE,
it's perfectly anonymous unless new techniques are around that we aren't
aware of.

Josh Beck                                         jbeck () connectnet com
----------------------------------------------------------------------
CONNECTNet INS, Inc.      Phone: (619)450-0254      Fax: (619)450-3216
6370 Lusk Blvd., Suite F-208                       San Diego, CA 92121
----------------------------------------------------------------------