One idea that I've had would be to have a tool which can poll your routers for SNMP stats on ICMP traffic and analyze them based on normal ICMP traffic levels to detect where an unusually large number of ICMP packets are entering your network. This probably needs some assisitance from the researchers who study traffic stats to determine the baseline for what is normal, or perhaps to tell us that there is no absolute baseline and we need a tool to analyze our networks specifically to dynamically determine the baseline. This also assumes that ping floods are aberrant events, i.e. they do not occur so often that they appear to be the normal state of affairs. And it also assumes that during a ping flood attack even if the source addresses are spoofed, nevertheless the stream of packets all follow the same route and all originate on the same LAN.
I think it's critical that routers be capable of logging the hardware addresses of ICMP, along with source addresses, so that these attacks can be traced across shared media at exchanges. As it is now, it's hard enough to trace it back across a backbone, but if it crosses a MAE, it's perfectly anonymous unless new techniques are around that we aren't aware of. Josh Beck jbeck@connectnet.com ---------------------------------------------------------------------- CONNECTNet INS, Inc. Phone: (619)450-0254 Fax: (619)450-3216 6370 Lusk Blvd., Suite F-208 San Diego, CA 92121 ----------------------------------------------------------------------