[nsp] known networks for broadcast ping attacks

Netstat Webmaster wrote:

[some text omitted]
The real problem I see with this particular attack is that there is
nothing short of blocking all ICMPs that 'victim.com' can do. At least
not that I am aware of.



This does not solve the entire problem. We have been the victim of
such an attack for the last several days. The attack is using up about
7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets
at the router we control only prevents the target host from seeing the
ping replies, but does not recover the portion of our circuit occupied
by the ping replies, or of Sprint's backbone circuits, or of other
provider's circuits in the path, etc.

The filters need to be higher up the chain. EVERYONE needs to install
anti-spoof filters.

I'd prefer not to be forced to filter out all pings. Everyone
filtering out ICMP packets means there is a 100% successful denial of
service attack on what is otherwise a very useful debugging tool

Rick Watson
The University of Texas, ACITS Networking Services

FDT has also been the target of such attacks recently. You know the
senario. Some kid on IRC wants to own a channel, so he runs a script that
pings the broadcast address of a few dozen networks claiming a source
address of our IRC server...so we get hit so hard with icmp echo replies
that UUNet's Cascade switch starts burping such that the end result is we
get alternating [roughly] 0.5s bursts of silence / echo reply storms, and
no useful traffic comes through our T1. I have about 1.5mb of tcpdump
data displaying this from an attack yesterday, and it happened again

Fortunately, they usually do this only breifly. I'm probably going to
tell our IRC admin to pull us off the IRC network. The only other viable
option I can think of would be to ask UUNet to block all icmp for our
network, and I don't want that.

We have seen the same thing on our network for ~10weeks off and on.
The attacks have been as bad as 29M/sec.

I am attaching 'smurf.c' the program that triggers the broadcast pings

Everyone _please_ filter routing broadcast pings as this is a _major_


smurf.c (5.98 KB)