We are currently undergoing a ping flood attack, though our upstream provider has filtered icmp from the host so the flood is no longer affecting our T1 line.
The system administrator of the site that appears to be flooding us doesn't believe his site is the source of the attack. He states that he can't see the icmp packets, though I don't know how he is sniffing his wire.
My questions are these:
Is it possible for someone to forged the source IP address of an icmp packet?
Yes, trivially.
If so, do they have to be in some routing proximity, or can they forge the source address while they are connected from anywhere in the world?
Anywhere that doesn't have outbound source filtering on their net connection... which is almost nobody. Back when I was at UC Berkeley in the late 80s, variations on this scheme were coded up and regularly used to interfere with other people's network game sessions (re-routing xtrek screen updates through Finland, similar stunts). The same basic concept can be done with any source IP addr and any ICMP command (or, basically, any IP data you want too). It is entirely possible that the information the other sysadmin has, that it's not coming from his net, is correct. If so, you have to go to your upstream and start tracing those packets back through the WAN connections to find out where they come from. This is doable but not at all trivial. However, it you see enough evidence to think it's someone trying to take you down maliciously and not just goofing off a bit, it is definitely worth doing the backtrack to find them. This is a classic denial of service attack which is a computer crime in most states and under federal computer crime laws if the attacker is in another state from you. -george william herbert gherbert@crl.com