Joe, Thanks...how if someone ping attacks the web server and then spoofs the IP address of the web server to attack someone else. We had that happened and we did use a sniffer and got tons of information from it, but the IP addresses that we were there were from other places(like schools, other ISP, etc..etc..)...the person probrably ping the broadcast address of some other sites and got valid addresses and then ping attacked us. Have you recently experienced this???? we're trying to track down the person, but its very difficult...any ideas... On Fri, 15 Aug 1997, Joe Shaw wrote:
On Fri, 15 Aug 1997, Network Admin Account wrote:
Has anyone been resently attacked by massive flood pings?????? We are trying to locate any other ISP's or anyone else having the same problem.
Ping floods are quite possibly the single most common form of attempted denial of service attacks. If someone is ping flooding you, plug a sniffer into the the ethernet and take a look at the where they're coming from. Or, if you know what host on your network is under attack, a simple netstat will show you the open connections at that time. If you're lucky, it's just some clueless person doing a ping -f or similar. Or, you're being attacked by the smurf.c program (or similar) that forges icmp packets with your source address to broadcast addresses and then you get flooded by the replies. I'd just go to a few of your machines and do a netstat on them, then dump the data to a file and see if you can see where all the ICMP packets are coming from. When you find out, it's time to get on the horn and talk to the Administrative and Technical contact for the domain. Also, it might not be a bad idea to deny ICMP at your router. This can be done by adding a line like this to your cisco access-list:
access-list 101 permit icmp any host 204.253.208.20 access-list 101 permit icmp any host 204.253.208.10 access-list 101 deny icmp any 204.253.208.0 0.0.0.255 access-list 101 permit ip any any
the permit lines allow people from the outside (or whatever other interface(s) we apply this access list to) to still ping some sites. All icmp traffic to others is denied.
I don't mean to insult your intelligence if you already knew this, but I figured if you didn't know it, you might want to. And, we haven't experienced any ping flood recently that I can think of (the access-list did help).
Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services