nanog mailing list archives
RE: ISP's who filter ICMP during DoS?
From: "David Schwartz" <davids () webmaster com>
Date: Thu, 28 Jun 2001 15:58:14 -0700
Filtering ICMP packets in DDoS attacks just makes the attacker attack harder. It's not a useful strategy except when protecting very slow links (T1 to 10Mbps) against very light attacks (32Mbps or less). The last few DDoS attacks I've tried to filter have resulted in attacks so significant there was nothing you could do at all. You will prompt a series of escalations this way. One new trick if the attacker can spoof is to take out a server on port 123 for IP 1.2.3.4 by swamping you with spoofed TCP SYN packets to that IP and port. The source IPs tend to be chosen from areas rich in major government and military sites. Filter them and the server is offline. Reply to them, and you are flooding thousands of innocent victims (with powerful response tactics) with unsolicited SYN ACK replies. If the attacker can't spoof, the sources are usually tracked and shutdown. Filtering just makes it so that you can't do the tracking and shutting down. So what's the good? Perhaps other people's experiences differ from mine. DS
Current thread:
- ISP's who filter ICMP during DoS? ASV (Jun 28)
- RE: ISP's who filter ICMP during DoS? David Schwartz (Jun 28)
- Re: ISP's who filter ICMP during DoS? Pim van Riezen (Jun 28)
- Re: ISP's who filter ICMP during DoS? Rafi Sadowsky (Jun 29)
- <Possible follow-ups>
- RE: ISP's who filter ICMP during DoS? Los, Ralph (Jun 29)
- RE: ISP's who filter ICMP during DoS? Christopher L. Morrow (Jun 29)