As Alex said earlier, we have experienced(?) a few ping floods
recently, and it is very difficult to use technology to trace the real
culprit, because you would have to follow the L2 signature (router ARP
tables at every hop, show ip arp, on a Cisco) through the Internet to
the source which means that you would have to have privs (or cooperate
with engineers) on all the transit networks that the culprit uses. By
the time this is in place the flood has usually stopped and then we are
SOL >:)
I would suggest that you interview the specific person targeted
(if there is one) and ask, in good old Colombo style, 'Did the deceased
have any enemies that you know of?' You never know! Knowing/suspecting
is not enough and tangible proof is a different thing however!
There is another mitigation: everyone here should commit to filtering
customer packets at the customer premesis router (or at the dial in for
PPP/SLIP) such that it is not possible for a customer to send a packet into
the network that has an IP source address on it that is not assigned to
that customer. That is, no more lying about source addresses.
Each of you should also consider (depending upon how your address
allocations go - this should be cheap for a single CIDR block) filtering
all packets coming at you from elsewhere that has source addresses in your
assigned address space. That is, no one should be able to send you packets
that you appear to have originated.
This is for the terminal networks, not the transit networks.
This is an old problem. It's another variant of the TCP SYN flood thing.
These filters also help with that problem too.
Erik Fair <fair@clock.org>