Hello All, I have a customer who is being ping-flooded. His bandwidth is being sucked up due to these floods, and wishes me to block them on my router. I am somewhat reluctant to do this, since it goes against our policy; however, the customer has been very patient with us on this issue and his patience is running out. I would be implementing on a Cisco 7507, with 3 T-3s to the Internet, and the customer hangs off the router on a T-1. What is the general consensus on providing such a service, particularly in terms of processing overhead and manageability. Is there another way to prevent this type of attack, aside from watching packets go by and trying to trace it back through the source. The source IPs are spoofed. Thanks! Christian Martin
You could just withdraw your BGP announcement for the net being attacked and suddenly the attack packets will die at the first router without a default route on their way to the victim. On Wed, 25 Mar 1998, Martin, Christian wrote:
Hello All,
I have a customer who is being ping-flooded. His bandwidth is being sucked up due to these floods, and wishes me to block them on my router. I am somewhat reluctant to do this, since it goes against our policy; however, the customer has been very patient with us on this issue and his patience is running out.
I would be implementing on a Cisco 7507, with 3 T-3s to the Internet, and the customer hangs off the router on a T-1. What is the general consensus on providing such a service, particularly in terms of processing overhead and manageability. Is there another way to prevent this type of attack, aside from watching packets go by and trying to trace it back through the source. The source IPs are spoofed.
Thanks! Christian Martin
-- Dan Boehlke, Senior Network Engineer M R N e t Internet: dboehlke@mr.net A MEANS Telcom Company Phone: 612-362-5814 2829 SE University Ave. Suite 200 WWW: http://www.mr.net/~dboehlke/ Minneapolis, MN 55414
You could just withdraw your BGP announcement for the net being attacked and suddenly the attack packets will die at the first router without a default route on their way to the victim.
...along with everything else. Do you have some way of determining which router that is? -- Phil Howard | stop6729@s5p0a6m6.org w2x8y9z0@lame1ads.net eat15me7@no6place.net phil | no12ads7@nowhere0.com die6spam@nowhere3.edu no70ads3@dumb1ads.com at | eat06me3@no20ads1.edu crash719@no6where.com stop4909@anywhere.net milepost | no12ads2@anywhere.org stop2ads@spam7mer.net no0spam0@no0where.edu dot | blow0me5@spam5mer.org end6ads8@lame4ads.org no3way57@no4where.org com | stop7211@no8where.net suck8it5@dumbads3.net eat69me1@no16ads1.edu
By looking at netflow stats or ip accounting I can usually find the host being attacked by sorting the list by destination. The source will point to hosts on a net being used as a smurf packet replicator, giving a hint who might need to be contacted to shut off directed broadcasts. Netflow stats even show it as being ICMP ECHO traffic if you look at the numeric codes in the flow export. Once you know who is being attacked, you can call your upstream providers or peers and have it traced, but if you want the traffic stopped and the attack is flooding your pipe, about all you can do it stop the traffic from getting to you, so if you are BGP peering with your neighbors, withdraw the network annoucement for the victim and the rest of your customers can continue to get their trafic. This doesn't help trace in, although give how older cisco IOS code reacts to tossing out unroutable packets, the intermediate hosts may find they have a problem when their router CPU use hits 100%. I too would rather have a good quick way to nail the people initiating this sort of attack. However I have also found that my customers who are victims are seldom random and are usually doing something to attract the attack, like running IRC bots or running a sendmail capable of being a SPAM relay. However I don't approve of vigilantism. This stuff can be taken care of in other ways. On Thu, 26 Mar 1998, Phil Howard wrote:
You could just withdraw your BGP announcement for the net being attacked and suddenly the attack packets will die at the first router without a default route on their way to the victim.
...along with everything else. Do you have some way of determining which router that is?
-- Phil Howard | stop6729@s5p0a6m6.org w2x8y9z0@lame1ads.net eat15me7@no6place.net phil | no12ads7@nowhere0.com die6spam@nowhere3.edu no70ads3@dumb1ads.com at | eat06me3@no20ads1.edu crash719@no6where.com stop4909@anywhere.net milepost | no12ads2@anywhere.org stop2ads@spam7mer.net no0spam0@no0where.edu dot | blow0me5@spam5mer.org end6ads8@lame4ads.org no3way57@no4where.org com | stop7211@no8where.net suck8it5@dumbads3.net eat69me1@no16ads1.edu
-- Dan Boehlke, Senior Network Engineer M R N e t Internet: dboehlke@mr.net A MEANS Telcom Company Phone: 612-362-5814 2829 SE University Ave. Suite 200 WWW: http://www.mr.net/~dboehlke/ Minneapolis, MN 55414
Dan Boehlke writes:
By looking at netflow stats or ip accounting I can usually find the host being attacked by sorting the list by destination. The source will point to hosts on a net being used as a smurf packet replicator, giving a hint who might need to be contacted to shut off directed broadcasts. Netflow stats even show it as being ICMP ECHO traffic if you look at the numeric codes in the flow export. Once you know who is being attacked, you can call your upstream providers or peers and have it traced, but if you want the traffic stopped and the attack is flooding your pipe, about all you can do it stop the traffic from getting to you, so if you are BGP peering with your neighbors, withdraw the network annoucement for the victim and the rest of your customers can continue to get their trafic. This doesn't help trace in, although give how older cisco IOS code reacts to tossing out unroutable packets, the intermediate hosts may find they have a problem when their router CPU use hits 100%.
I too would rather have a good quick way to nail the people initiating this sort of attack. However I have also found that my customers who are victims are seldom random and are usually doing something to attract the attack, like running IRC bots or running a sendmail capable of being a SPAM relay. However I don't approve of vigilantism. This stuff can be taken care of in other ways.
I've always held that one thing routers should do is apply the routing logic to the source address of each packet, and verify that the interface it came in on was one of the valid interfaces a reply could return through. It might not be the best route (e.g. asymmetric), but it would at least have to be one of the possible routes. This would break thoses cases where the network would break anyway if that was the only interface to reach the source as a destination (for valid sources). This would at worst case double the CPU usage (if the CPU was doing nothing but route logic). This doesn't affect the scalability formula since with this, tripling the bandwidth still means increasing the performance of the router in the same ratio as it would have been anyway (after it has already been doubled). The cost of this has to be weighed against the cost of the impact of spoofed sources and the manual resources used to track them down. That may not justify the feature. Another possible approach is a tracking protocol. One possible way is for a message to be sent to the router to watch for packets with a specific host or network destination, and send a report to the requester indicating where that packet is coming from, and pass the request on to that same interface. A flag would indicate if the actual packet should be dropped or not for the duration of the tracking (perhaps up to 200 seconds). This logic itself would be subject to abuse, so it would have to have strong security designed into it, such as the verification that it did come from a valid interface as per the logic I described in a previous paragraph. With more and more of these attacks happening, and more and more clueless untrained or improperly trained people being hired to answer the phones at many (or most) of the major backbones, something else is clearly needed. But I do think a smarter router could help. But just how smart is a good question. The most efficient and secure method is desired. -- Phil Howard | no4spam7@lame1ads.net end6ads4@dumb0ads.edu a7b6c3d3@anywhere.com phil | no6spam4@no6place.org eat74me7@nowhere6.com eat7this@nowhere8.com at | no9way37@lame7ads.org stop9752@dumbads2.com crash530@dumbads8.org milepost | ads5suck@dumbads1.edu crash979@anyplace.com stop2208@anywhere.com dot | stop7941@nowhere8.com die3spam@no0where.org stop9114@anywhere.net com | a7b0c5d3@anyplace.net w5x1y1z5@dumb7ads.com blow2me2@lame7ads.org
participants (3)
-
Dan Boehlke
-
Martin, Christian
-
Phil Howard