Netstat Webmaster wrote:
[some text omitted] The real problem I see with this particular attack is that there is nothing short of blocking all ICMPs that 'victim.com' can do. At least not that I am aware of.
Regards, Tripp
webmaster@http://www.netstat.net
This does not solve the entire problem. We have been the victim of such an attack for the last several days. The attack is using up about 7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets at the router we control only prevents the target host from seeing the ping replies, but does not recover the portion of our circuit occupied by the ping replies, or of Sprint's backbone circuits, or of other provider's circuits in the path, etc. The filters need to be higher up the chain. EVERYONE needs to install anti-spoof filters. I'd prefer not to be forced to filter out all pings. Everyone filtering out ICMP packets means there is a 100% successful denial of service attack on what is otherwise a very useful debugging tool (ping). Rick Watson The University of Texas, ACITS Networking Services r.watson@utexas.edu