Ping flooding (fwd)

> The problem is not really a technical one. It's administrative. It's
> much more of a headache to backtrack through 30 routers that aren't in
> your own network than to backtrack to the ingress to your own network
> domain and filter it out there (which is the typical response to this
> kind of thing). Getting everyone in the path to cooperate with
> backtracking is difficult in many instances, impossible in others.

I recall that people have cooperated in the past on some sort of
performance analysis tool that transported packets through a tunnel to
some remote point and initiated an analysis of some sort from that point
I believe this was done by NLANR and had something to do with vBNS.

I don't think this is all that different. If some means existed for an NSP
to initiate a trace on a specific source address to backtrack it to the
real source then an easy to use tool could be built. Of course, first of
all router vendors need to make a quick and relatively painless way to
track down the interface that a packet comes in from, maybe

There will likely never be a means for a single NSP to track down the
real source of spoofed packets using IPv4. Service providers won't be
letting other service providers track spoofed packets through their

set icmp-source-trace on

and later....

show icmp-source-trace

IP address Interface
---------- --------- NO TRACE

Note that the source trace was active for a period of time and then
expired automatically with no new ICMP packets bearing the specified
source address in that period of time. If this facility is available an
easy to use tool could be built.

In the case of a spoofed-source, denial of service attack, the source
address is often of less use than the destination address/port/protocol
in tracking down the real source. The attacker just switches the source
address and walks right through your trace (or filters).

Don't get me wrong; I think packet sniffing capabilities (even in their
simplest forms) can be very useful and I wish there were more facilities
in typical routers for tracking traffic via IP header information.

> that doesn't even take into account the cases where an attacker has
> multiple paths into your network and is using multiple forged source
> addresses, much less the fact that the attacker can turn off the attack
> when he/she chooses, thwarting your effort to track them.

No doubt about it. Being a detective is hard boring plodding work and
sometimes you just never find the crook. But it's still worth trying.

Define worth. I live in a capitalist society where catching a criminal
is of little worth (particularly an ICMP bomber who's arguably not much
worse than a USENET spammer) in it's own right and often only worthwhile
if there's monetary compensation involved (either from a legal
settlement, reward or just recovery of service and time spent fixing
things that are broken by an attacker). :slight_smile:


Why not? Don't telcos do this?
Or if your answer is that telcos only do it for the police and not for
each other, then my question would be why can't we form an Internet
equivalent, maybe affiliated with something like CERT, that can make these
requests and with whom NSP's would cooperate.

Michael Dillon ISP & Internet Consulting
Memra Software Inc. Fax: +1-604-546-3049 E-mail: