As Alex said earlier, we have experienced(?) a few ping floods recently, and it is very difficult to use technology to trace the real culprit, because you would have to follow the L2 signature (router ARP tables at every hop, show ip arp, on a Cisco) through the Internet to the source which means that you would have to have privs (or cooperate with engineers) on all the transit networks that the culprit uses. By the time this is in place the flood has usually stopped and then we are SOL >:) I would suggest that you interview the specific person targeted (if there is one) and ask, in good old Colombo style, 'Did the deceased have any enemies that you know of?' You never know! Knowing/suspecting is not enough and tangible proof is a different thing however! -----------------------------
Does anyone have any ideas from where its coming from???? We have had no luck with this at all????
On Fri, 15 Aug 1997, Alex Rubenstein wrote:
Yes. It was interesting. My understanding is that what I am about to
you is old news, but here:
Attacker sends a packet with a source address of the victim, with a dest address to the broadcast of a (pick any) network. Every machine on
network will then respond with a ICMP reply to the 'source' (the victim).
My understanding is that a 28.8 users could easily fill a T1 (or more) with this method. We have no proof, but someone did this to us from what appears to be a ISDN account from PSI, and filled 6 - 7 mb/s of our Ethernet genuity connection in doing so. It was *not* cool.
On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We
are
trying to locate any other ISP's or anyone else having the same
tell the problem.