OK. So what if somebody is currently planning a ping battle on the global Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all roll over and play dead?
Sounds sort of like the day they put Peter Gabriel on MBONE. word, and unfortunately, yes. See more below.
Before you answer, take note that this is going to appear in Bob Metcalfe's column next week.
In a word, and fortunately, no. See more on last line.
We are currently undergoing a ping flood attack, though our upstream provider has filtered icmp from the host so the flood is no longer affecting our T1 line.
You should thank them for this, as it is pretty much your only recourse
The system administrator of the site that appears to be flooding us doesn't believe his site is the source of the attack. He states that he can't see the icmp packets, though I don't know how he is sniffing his wire.
Provided that he has a single broadcast LAN segment (e.g., an ethernet segment on a dumb hub) feeding into his network feed (T1 or whatever), then he could use tcpdump or Solaris' snoop to check for ICMP packets.
My questions are these:
Is it possible for someone to forged the source IP address of an icmp packet?
Trivially so, yes.
If so, do they have to be in some routing proximity, or can they forge the source address while they are connected from anywhere in the world?
To answer this question, think about how your Internet gateway works. When it receives an outgoing packet, what does it do? It examines the destination header and makes a decision as to which interface to forward it onto. If it is destined for network X, then it consults its routing table and merrily forwards the packet. If you have a very restrictive security policy, then you might want to place a packet filter on all outgoing traffic. If your network is 10.1.1.64/26, then you might have the following two rules: action source destination ------ ------ ----------- allow 10.1.1.64/26 * deny * * Of course, no one does this, because it is very time consuming for your router to examine every packet in this way. This translates into more marginal cost on your hardware for very little return. Say that person X, the person who owns the network from which these pings are apparently originating, did have such a filter. What does this do? It proves that the packets are not originating on his network. Does it stop anyone else from forging these packets? No. The attacker, Y, might have a machine on someone else's network. If they do not have a similar rule on their routers connecting to the global network (again, most people don't), then these packets will simply be routed to their destination. But say that Y is not a guest on someone else's network. Say he has a T1 from, e.g., MCI. At the router on MCI's end of the T1, do they have one of these filters to prevent such impersonations? Probably not. And why would they? It would be very expensive (the leased line business is very competitive), and the only thing it would do is potentially annoy the customer. If they are mistakenly placing the wrong return address on their packets, then they will figure it out very quickly; all return traffic from any network sessions they establish will be sent to another network. Zippo, no WWW, no mail, etc. In other words, the attacker could be anywhere in the world. The only way to track him down would be for your ISP to put monitors at all of their interconnect points with other networks. Once they figure out the point at which the traffic is entering their network, then _that_ network would have to place monitors on all of _their_ connect points. Eventually, you could track it down this way. I don't think that you would be very successful convincing the various networks to cooperate, though. Your provider did a very nice thing by stopping all ICMP packets. You should make it publicly known that they are doing so, in the hopes that whoever is doing this will tire of using all their bandwidth to bombard you. (Until they do so, your ISP will continue to absorb the cost of transporting all this traffic to your doorstep and /dev/nulling it.) If they ever start forging packets to your www server|port 80, you will be royally screwed. Be glad that your attacker is stupid, because they appear to be rich and patient (assuming it really is a forged address.)
Thanks!
You're welcome. P.s., It probably isn't forged. Ask for more details from the suspect's network administrator. If he continues to be uncooperative, call the upstream provider of the apparent offender and ask them to monitor the suspect's line. This qualifies as definite antisocial behaviour. _____________________________________________________________________ Todd Graham Lewis Core Engineering Mindspring Enterprises tlewis@mindspring.com (Standard Disclaimers) (800) 719 4664, x2804 (Copyright 1996 Todd Lewis, All Rights Reserved.)