Are there any procedures in place to track down this kind of network
abuse. In particular, is it possible that it is a stealth attack?
Before you answer, take note that this is going to appear in Bob
Metcalfe's column next week.
According to: Michael Dillon
Are there any procedures in place to track down this kind of network
abuse. In particular, is it possible that it is a stealth attack?
Before you answer, take note that this is going to appear in Bob
Metcalfe's column next week.
what is, how to forge a ping attack expiditing the eminent death of
the net? 
Date: Mon, 8 Jul 1996 15:30:43 -0600 (MDT)
From: Kevin Rosenberg <kevin@cyberport.com>
Reply-To: inet-access@earth.com
To: inet-access@earth.com
Subject: Re: Ping flooding
Resent-Date: Mon, 8 Jul 1996 15:30:53 -0600 (MDT)
Resent-From: inet-access@earth.com> Some months later we had an incident of massive amounts of forged email
> from a site called SUNSETDIRECT.COM. For several weeks they sent forgedWe are currently undergoing a ping flood attack, though our upstream
provider has filtered icmp from the host so the flood is no longer
affecting our T1 line.The system administrator of the site that appears to be flooding us
doesn't believe his site is the source of the attack. He states that he
can't see the icmp packets, though I don't know how he is sniffing his
wire.My questions are these:
Is it possible for someone to forged the source IP address of an icmp
packet?If so, do they have to be in some routing proximity, or can they forge the
source address while they are connected from anywhere in the world?Thanks!
yes, forging a ping attack is pretty easy and can be done from
anywhere with any source address (of course, who knows where the
responses will end up), the routing proximity is irrelavant, since the
source is not looked at (unless filters have been put in place, such
as what the upstream provider has apparently done).
the only _I can think of_ in tracking it down, would be to backtrack
the possible paths into the router. either by sniffing the possible
lines coming into router, or by temporarily disabling icmp echo reqs.
from all but one incoming line, until you've found the offending line,
continuing back.
of course this may be impossible in many cases since you probably
don't have access to the equipment (or cooperation) outside of your
domain.
OK. So what if somebody is currently planning a ping battle on the global
Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all
roll over and play dead?
If I were to crosspost this reply to alt.2600 it wouldn't take long to
happen you know. BTW, I won't be crossposting it there, but you get the
idea, security by obscurity, etc...
Is anyone working on tools to help NSP's quickly backtrack this kind of
thing?
Michael Dillon ISP & Internet Consulting
Memra Software Inc. Fax: +1-604-546-3049
http://www.memra.com E-mail: michael@memra.com
Are there any procedures in place to track down this kind of network
abuse. In particular, is it possible that it is a stealth attack?
Before you answer, take note that this is going to appear in Bob
Metcalfe's column next week.
you can easily forge the header on an ICMP packet to make it look like it
came from any address you wish, to my knowledge, there really isn't a way
you can track down.
Denial of Service attacks like these are becoming common place, the only
real course of action is to firewall, unfortunatly, they can just spoof
from another source address.
Is it possible for someone to forged the source IP address of an icmp
packet?
yes
action source destination
------ ------ -----------allow 10.1.1.64/26 *
deny * *Of course, no one does this,
Er ... we do this.
I used to have such a filter in place at previous job, but was ordered by
higher-ups to remove it. Still, such filters are, to my knowledge, fairly
uncommon. You are correct, though, that they are a polite thing to do.
Incidentally, I did get my example backwards. Sincerest apologies and
thanks to all who noticed; I'll try to proofread better next time.
It could be worse; I could insult the people who correct my mistakes. 8^)