nanog mailing list archives
Re: ICMP Attacks???????
From: Josh Beck <jbeck () connectnet com>
Date: Fri, 15 Aug 1997 11:20:53 -0700 (PDT)
One idea that I've had would be to have a tool which can poll your routers for SNMP stats on ICMP traffic and analyze them based on normal ICMP traffic levels to detect where an unusually large number of ICMP packets are entering your network. This probably needs some assisitance from the researchers who study traffic stats to determine the baseline for what is normal, or perhaps to tell us that there is no absolute baseline and we need a tool to analyze our networks specifically to dynamically determine the baseline. This also assumes that ping floods are aberrant events, i.e. they do not occur so often that they appear to be the normal state of affairs. And it also assumes that during a ping flood attack even if the source addresses are spoofed, nevertheless the stream of packets all follow the same route and all originate on the same LAN.
I think it's critical that routers be capable of logging the hardware addresses of ICMP, along with source addresses, so that these attacks can be traced across shared media at exchanges. As it is now, it's hard enough to trace it back across a backbone, but if it crosses a MAE, it's perfectly anonymous unless new techniques are around that we aren't aware of. Josh Beck jbeck () connectnet com ---------------------------------------------------------------------- CONNECTNet INS, Inc. Phone: (619)450-0254 Fax: (619)450-3216 6370 Lusk Blvd., Suite F-208 San Diego, CA 92121 ----------------------------------------------------------------------
Current thread:
- [CISCO] directed-broadcast, ip classless Ran Atkinson (Aug 14)
- Re: [CISCO] directed-broadcast, ip classless Josh Beck (Aug 14)
- ICMP Attacks??????? Network Admin Account (Aug 15)
- Re: ICMP Attacks??????? Joe Shaw (Aug 15)
- Re: ICMP Attacks??????? Network Admin Account (Aug 15)
- Re: ICMP Attacks??????? Michael Dillon (Aug 15)
- Re: ICMP Attacks??????? Perry E. Metzger (Aug 15)
- Re: ICMP Attacks??????? Josh Beck (Aug 15)
- Re: ICMP Attacks??????? Perry E. Metzger (Aug 15)
- Re: ICMP Attacks??????? Josh Beck (Aug 15)
- ICMP Attacks??????? Network Admin Account (Aug 15)
- Re: [CISCO] directed-broadcast, ip classless Josh Beck (Aug 14)
- Re: ICMP Attacks??????? Alex "Mr. Worf" Yuriev (Aug 15)
- Re: ICMP Attacks??????? Alex Rubenstein (Aug 15)
- Re: ICMP Attacks??????? Network Admin Account (Aug 15)
- Re: ICMP Attacks??????? Vincent Poy (Aug 15)
- Re: [CISCO] directed-broadcast, ip classless Mark E Larson (Aug 15)
- <Possible follow-ups>
- Re: [CISCO] directed-broadcast, ip classless Jeffrey S. Curtis (Aug 14)
- Message not available
- Re: [CISCO] directed-broadcast, ip classless Ran Atkinson (Aug 14)
- Re: [CISCO] directed-broadcast, ip classless Paul Ferguson (Aug 14)
- Message not available