On Mon, 11 Aug 1997, Rick Watson wrote:
This does not solve the entire problem. We have been the victim of such an attack for the last several days. The attack is using up about 7 Mbits of our DS3 to Sprint or about 16%. Filtering out ICMP packets at the router we control only prevents the target host from seeing the ping replies, but does not recover the portion of our circuit occupied by the ping replies, or of Sprint's backbone circuits, or of other provider's circuits in the path, etc.
FDT has also been the target of such attacks recently. You know the senario. Some kid on IRC wants to own a channel, so he runs a script that pings the broadcast address of a few dozen networks claiming a source address of our IRC server...so we get hit so hard with icmp echo replies that UUNet's Cascade switch starts burping such that the end result is we get alternating [roughly] 0.5s bursts of silence / echo reply storms, and no useful traffic comes through our T1. I have about 1.5mb of tcpdump data displaying this from an attack yesterday, and it happened again today. Fortunately, they usually do this only breifly. I'm probably going to tell our IRC admin to pull us off the IRC network. The only other viable option I can think of would be to ask UUNet to block all icmp for our network, and I don't want that. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____