On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
Ping floods are quite possibly the single most common form of attempted denial of service attacks. If someone is ping flooding you, plug a sniffer into the the ethernet and take a look at the where they're coming from. Or, if you know what host on your network is under attack, a simple netstat will show you the open connections at that time. If you're lucky, it's just some clueless person doing a ping -f or similar. Or, you're being attacked by the smurf.c program (or similar) that forges icmp packets with your source address to broadcast addresses and then you get flooded by the replies. I'd just go to a few of your machines and do a netstat on them, then dump the data to a file and see if you can see where all the ICMP packets are coming from. When you find out, it's time to get on the horn and talk to the Administrative and Technical contact for the domain. Also, it might not be a bad idea to deny ICMP at your router. This can be done by adding a line like this to your cisco access-list: access-list 101 permit icmp any host 204.253.208.20 access-list 101 permit icmp any host 204.253.208.10 access-list 101 deny icmp any 204.253.208.0 0.0.0.255 access-list 101 permit ip any any the permit lines allow people from the outside (or whatever other interface(s) we apply this access list to) to still ping some sites. All icmp traffic to others is denied. I don't mean to insult your intelligence if you already knew this, but I figured if you didn't know it, you might want to. And, we haven't experienced any ping flood recently that I can think of (the access-list did help). Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services