[nsp] known networks for broadcast ping attacks

Rick_Watson · August 12, 1997, 2:57am

Netstat Webmaster wrote:

[some text omitted]
The real problem I see with this particular attack is that there is
nothing short of blocking all ICMPs that 'victim.com' can do. At least
not that I am aware of.

Regards,
Tripp

webmaster@http://www.netstat.net

This does not solve the entire problem. We have been the victim of
such an attack for the last several days. The attack is using up about
7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets
at the router we control only prevents the target host from seeing the
ping replies, but does not recover the portion of our circuit occupied
by the ping replies, or of Sprint's backbone circuits, or of other
provider's circuits in the path, etc.

The filters need to be higher up the chain. EVERYONE needs to install
anti-spoof filters.

I'd prefer not to be forced to filter out all pings. Everyone
filtering out ICMP packets means there is a 100% successful denial of
service attack on what is otherwise a very useful debugging tool
(ping).

Rick Watson
The University of Texas, ACITS Networking Services
r.watson@utexas.edu

Jon_Lewis · August 12, 1997, 3:30am

FDT has also been the target of such attacks recently. You know the
senario. Some kid on IRC wants to own a channel, so he runs a script that
pings the broadcast address of a few dozen networks claiming a source
address of our IRC server...so we get hit so hard with icmp echo replies
that UUNet's Cascade switch starts burping such that the end result is we
get alternating [roughly] 0.5s bursts of silence / echo reply storms, and
no useful traffic comes through our T1. I have about 1.5mb of tcpdump
data displaying this from an attack yesterday, and it happened again
today.

Fortunately, they usually do this only breifly. I'm probably going to
tell our IRC admin to pull us off the IRC network. The only other viable
option I can think of would be to ask UUNet to block all icmp for our
network, and I don't want that.

Jonah_Yokubaitis · August 12, 1997, 5:12am

We have seen the same thing on our network for ~10weeks off and on.
The attacks have been as bad as 29M/sec.

I am attaching 'smurf.c' the program that triggers the broadcast pings
etc.

Everyone _please_ filter routing broadcast pings as this is a _major_
problem.

Jonah

smurf.c (5.98 KB)