In case others are engaged in lobbying with cisco, here are my case
numbers with the cisco TAC on this topic:
-----------------------------------------------------
CASE: H87031
OPENED: 05-AUG-97
DESCRIPTION: turn off IP packet directed broadcast by default
-----------------------------------------------------
CASE: H87037
OPENED: 05-AUG-97
DESCRIPTION: make "ip classless" default for ISP IOS images
-----------------------------------------------------
I agree with both, but thankfully they're both easy fixes.
Josh Beck jbeck@connectnet.com
Has anyone been resently attacked by massive flood pings??? We are
trying to locate any other ISP's or anyone else having the same problem.
Ummm. Is it really that hard to type "ip classless" in the config?
Ping floods are quite possibly the single most common form of attempted
denial of service attacks. If someone is ping flooding you, plug a
sniffer into the the ethernet and take a look at the where they're coming
from. Or, if you know what host on your network is under attack, a simple
netstat will show you the open connections at that time. If you're lucky,
it's just some clueless person doing a ping -f or similar. Or, you're
being attacked by the smurf.c program (or similar) that forges icmp
packets with your source address to broadcast addresses and then you get
flooded by the replies. I'd just go to a few of your machines and do a
netstat on them, then dump the data to a file and see if you can see where
all the ICMP packets are coming from. When you find out, it's time to get
on the horn and talk to the Administrative and Technical contact for the
domain. Also, it might not be a bad idea to deny ICMP at your router.
This can be done by adding a line like this to your cisco access-list:
access-list 101 permit icmp any host 204.253.208.20
access-list 101 permit icmp any host 204.253.208.10
access-list 101 deny icmp any 204.253.208.0 0.0.0.255
access-list 101 permit ip any any
the permit lines allow people from the outside (or whatever other
interface(s) we apply this access list to) to still ping some sites. All
icmp traffic to others is denied.
I don't mean to insult your intelligence if you already knew this, but I
figured if you didn't know it, you might want to. And, we haven't
experienced any ping flood recently that I can think of (the access-list
did help).
Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
Joe,
Thanks…how if someone ping attacks the web server and then spoofs the IP
address of the web server to attack someone else. We had that happened
and we did use a sniffer and got tons of information from it, but the
IP addresses that we were there were from other places(like schools, other
ISP, etc…etc…)…the person probrably ping the broadcast address of some
other sites and got valid addresses and then ping attacked us. Have you
recently experienced this??? we're trying to track down the person, but
its very difficult…any ideas…
No but we were hit with tons of UDP traffic that was chewing up DS3s worth
of bandwidth mostly coming from MAE-East and partially from Pennsauken
Alex
Yes. It was interesting. My understanding is that what I am about to tell
you is old news, but here:
Attacker sends a packet with a source address of the victim, with a dest
address to the broadcast of a (pick any) network. Every machine on the
network will then respond with a ICMP reply to the 'source' (the victim).
My understanding is that a 28.8 users could easily fill a T1 (or more)
with this method. We have no proof, but someone did this to us from what
appears to be a ISDN account from PSI, and filled 6 - 7 mb/s of our
Ethernet genuity connection in doing so. It was *not* cool.
Does anyone have any ideas from where its coming from??? We have had no
luck with this at all???
Has anyone been resently attacked by massive flood pings??? We are
trying to locate any other ISP's or anyone else having the same problem.
flooded by the replies. I'd just go to a few of your machines and do a
netstat on them, then dump the data to a file and see if you can see where
all the ICMP packets are coming from. When you find out, it's time to get
And just how do you identify the source of the ICMP packets when the source
address is forged? All too often when a customer calls to report this sort
of problem to their upstream provider, the source of the traffic is traced
to the shared media at an IXP and this, only after some laborious effort by
the NOC staff of the upstream network provider. It is really hard to trace
ICMP floods past the IXP shared media.
I'm not sure what can be done to make this easier but I have a few ideas.
IMHO this is an important problem to solve because ICMP does some useful
things so that most of us don't want to simply turn it off in our networks
entirely. But we do need some tools and/or knobs in the routers to help us
track down the source of these floods quickly and effortlessly.
One idea that I've had would be to have a tool which can poll your routers
for SNMP stats on ICMP traffic and analyze them based on normal ICMP
traffic levels to detect where an unusually large number of ICMP packets
are entering your network. This probably needs some assisitance from the
researchers who study traffic stats to determine the baseline for what is
normal, or perhaps to tell us that there is no absolute baseline and we
need a tool to analyze our networks specifically to dynamically determine
the baseline. This also assumes that ping floods are aberrant events, i.e.
they do not occur so often that they appear to be the normal state of
affairs. And it also assumes that during a ping flood attack even if the
source addresses are spoofed, nevertheless the stream of packets all follow
the same route and all originate on the same LAN.
Obviously, any solution to tracking these attacks will require a certain
level of cooperation from all providers but I think it is in all our best
interests to work on this because in the end it will save us from a lot of
headaches and help all of us in our customer relationships.
One idea that I've had would be to have a tool which can poll your routers
for SNMP stats on ICMP traffic and analyze them based on normal ICMP
traffic levels to detect where an unusually large number of ICMP packets
are entering your network. This probably needs some assisitance from the
researchers who study traffic stats to determine the baseline for what is
normal, or perhaps to tell us that there is no absolute baseline and we
need a tool to analyze our networks specifically to dynamically determine
the baseline. This also assumes that ping floods are aberrant events, i.e.
they do not occur so often that they appear to be the normal state of
affairs. And it also assumes that during a ping flood attack even if the
source addresses are spoofed, nevertheless the stream of packets all follow
the same route and all originate on the same LAN.
I think it's critical that routers be capable of logging the
hardware addresses of ICMP, along with source addresses, so that these
attacks can be traced across shared media at exchanges. As it is now, it's
hard enough to trace it back across a backbone, but if it crosses a MAE,
it's perfectly anonymous unless new techniques are around that we aren't
aware of.
Josh Beck jbeck@connectnet.com
=)
=)Has anyone been resently attacked by massive flood pings??? We are
=)trying to locate any other ISP's or anyone else having the same problem.
We seem to get it all the time on the venus, earth,
mercury.GAIANET.NET machines.
Cheers,
Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____
Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ]
GaiaNet Corporation - M & C Estate / / / / | / | __] ]
Beverly Hills, California USA 90210 / / / / / |/ / | __] ]
HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]