Re: DOS by Flooding a Network

[Skip Carter <skip () taygeta com>]

> This past weekend, we experienced the periodic flooding of our network.
> The flooding caused our network to be inaccessible. The traffic has
> mainly been ICMP: large quantities of large spoofed packets...similar to
> "ping-of-death. Appropriate patching has been applied so the actual
> attach does not shut anything down. However, it does succeed in flooding
> of our network rendering it inaccessible.
>
> We are trying to figure out a way, if any, to mitigate this attack from
> flooding our network in the future. We tried to coordinate with our ISP
> upstream but they say they can't do anything....and we feel sending
> resets on our end would be useless and ineffective. We are trying to
> figure out a way to eliminate the "choke point" or "bottle neck" when
> the attacks occur. I feel we should be able to do something better than
> just "weathering the storm".

        We have been seeing the same type of thing here, it started almost a week ago 
and became
very heavy over the weekend.  The packets almost look like a classical Smurf 
storm, but the
destination IP is 255.255.255.255.  This morning I created a Snort rule to 
record what is
happening and so far I have seen 77 different supposed source addresses (which 
are almost
certainly spoofed).   Fortunately for me, my ISP is cooperating in trying to 
deal with these
events.





 


-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com