OK. So what if somebody is currently planning a ping battle on the global Internet, kind of like corewars in the netwrk. Then what? Do the NSP's all roll over and play dead?

Sounds sort of like the day they put Peter Gabriel on MBONE. word, and unfortunately, yes. See more below.

Before you answer, take note that this is going to appear in Bob Metcalfe's column next week.

In a word, and fortunately, no. See more on last line.

We are currently undergoing a ping flood attack, though our upstream provider has filtered icmp from the host so the flood is no longer affecting our T1 line.

You should thank them for this, as it is pretty much your only recourse

The system administrator of the site that appears to be flooding us doesn't believe his site is the source of the attack. He states that he can't see the icmp packets, though I don't know how he is sniffing his wire.

Provided that he has a single broadcast LAN segment (e.g., an ethernet segment on a dumb hub) feeding into his network feed (T1 or whatever), then he could use tcpdump or Solaris' snoop to check for ICMP packets.

My questions are these:

Is it possible for someone to forged the source IP address of an icmp packet?

Trivially so, yes.

If so, do they have to be in some routing proximity, or can they forge the source address while they are connected from anywhere in the world?

To answer this question, think about how your Internet gateway works. When it receives an outgoing packet, what does it do? It examines the destination header and makes a decision as to which interface to forward it onto. If it is destined for network X, then it consults its routing table and merrily forwards the packet. If you have a very restrictive security policy, then you might want to place a packet filter on all outgoing traffic. If your network is 10.1.1.64/26, then you might have the following two rules: action source destination ------ ------ ----------- allow 10.1.1.64/26 * deny * * Of course, no one does this, because it is very time consuming for your router to examine every packet in this way. This translates into more marginal cost on your hardware for very little return. Say that person X, the person who owns the network from which these pings are apparently originating, did have such a filter. What does this do? It proves that the packets are not originating on his network. Does it stop anyone else from forging these packets? No. The attacker, Y, might have a machine on someone else's network. If they do not have a similar rule on their routers connecting to the global network (again, most people don't), then these packets will simply be routed to their destination. But say that Y is not a guest on someone else's network. Say he has a T1 from, e.g., MCI. At the router on MCI's end of the T1, do they have one of these filters to prevent such impersonations? Probably not. And why would they? It would be very expensive (the leased line business is very competitive), and the only thing it would do is potentially annoy the customer. If they are mistakenly placing the wrong return address on their packets, then they will figure it out very quickly; all return traffic from any network sessions they establish will be sent to another network. Zippo, no WWW, no mail, etc. In other words, the attacker could be anywhere in the world. The only way to track him down would be for your ISP to put monitors at all of their interconnect points with other networks. Once they figure out the point at which the traffic is entering their network, then _that_ network would have to place monitors on all of _their_ connect points. Eventually, you could track it down this way. I don't think that you would be very successful convincing the various networks to cooperate, though. Your provider did a very nice thing by stopping all ICMP packets. You should make it publicly known that they are doing so, in the hopes that whoever is doing this will tire of using all their bandwidth to bombard you. (Until they do so, your ISP will continue to absorb the cost of transporting all this traffic to your doorstep and /dev/nulling it.) If they ever start forging packets to your www server|port 80, you will be royally screwed. Be glad that your attacker is stupid, because they appear to be rich and patient (assuming it really is a forged address.)

Thanks!

You're welcome. P.s., It probably isn't forged. Ask for more details from the suspect's network administrator. If he continues to be uncooperative, call the upstream provider of the apparent offender and ask them to monitor the suspect's line. This qualifies as definite antisocial behaviour. _____________________________________________________________________ Todd Graham Lewis Core Engineering Mindspring Enterprises tlewis@mindspring.com (Standard Disclaimers) (800) 719 4664, x2804 (Copyright 1996 Todd Lewis, All Rights Reserved.)

In message <Pine.BSI.3.93.960708190406.27458F-100000@sidhe.memra.com>, Michael Dillon writes:

Is anyone working on tools to help NSP's quickly backtrack this kind of thing?

The NSS routers allow us to do statistical sampling continuously and the occurance of a source address at an entry point where it does not usually enter can be detected and has in the past been used to followup these sort of attacks after the fact. Other routers are not capable of doing this but if the offense is repeated, successive monitoring can be set up until the source is isolated. We have requested the same sort of statistical sampling from Cisco and Bay (and BNR/NSC). It is a long ways back on the development schedule for all but Bay. It requires a hook in the forwarding path and is a bit memory intensive and requires some, but not a lot of CPU on the processor given the task of summarization (usually the processor doing routing, not neccesarily for Bay - not sure yet). The RS6000s are typically running in the range of 50% to 90% CPU idle if you check one second intervals or 75% to 90% if you check 10 second intervals unless very major sustained route flap in occurring (or cron kicks something off). Milage will vary with router design. The main purpose of the statistical sampling is traffic engineering, but it sometimes comes in handy for following up on attacks with forged source addresses. Requests for this type of data for security followups have been very infrequent. Curtis

In message <199607091907.AA29463@jotun.EU.net>, Per Gregers Bilse writes:

On Jul 9, 14:21, Curtis Villamizar <curtis@ans.net> wrote:

...

The NSS routers allow us to do statistical sampling continuously and the occurance of a source address at an entry point where it does not usually enter can be detected and has in the past been used to followup these sort of attacks after the fact. Other routers are not capable of doing this but if the offense is repeated, successive monitoring can be set up until the source is isolated.

We have requested the same sort of statistical sampling from Cisco and Bay (and BNR/NSC). It is a long ways back on the development schedule

Maybe I'm missing something, but flow switching stats from Ciscos should do exactly this:

SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk Active Se1/0 194.130.16.17 Se1/6 130.144.65.1 11 0035 0035 2 69 0.0 Et0/2 193.122.198.1 Se1/1 128.218.14.87 06 0050 0FA3 2 40 0.0 Se1/5 130.144.65.1 Se1/0 194.130.16.17 11 0035 0035 2 69 0.0 Se1/1 153.36.40.52 Et0/1 193.74.242.1 06 0413 0050 4 44 9.6 Se1/5 194.178.24.22 Se1/7 146.228.10.11 06 0407 0050 124 40 207.6 Se1/7 146.228.10.11 Se1/6 194.178.24.22 06 0050 0405 648 550 673.4 Se1/5 194.165.95.69 Se1/0 205.216.146.69 06 0430 0050 5 164 6.2

etc, etc. Dump, then grep.

-- ------ ___ --- Per G. Bilse, Mgr Network Operations Ctr ----- / / / __ ___ _/_ ---- EUnet Communications Services B.V. ---- /--- / / / / /__/ / ----- Singel 540, 1017 AZ Amsterdam, NL --- /___ /__/ / / /__ / ------ tel: +31 20 6233803, fax: +31 20 6224657 --- ------- 24hr emergency number: +31 20 421 0865 --- Connecting Europe since 1982 --- http://www.EU.net e-mail: bilse@EU.net

I have always been under the impression that Cisco flow switching and high performance were mutually exclusive if there were too many active flows as is the case for the major US ISPs at least. What the RS6000 does is the forwarding cards sample on in 50 packets, strip all but the headers, pack it into a buffer and send the buffers to the RS6000 processor for inclusion in histograms. We can come close to doing 1:1 sampling but not quite. The 1:50 has proven just fine for traffic management and also come in handy for tracking persistant source address spoofers back to the next provider. Another difference is with the flow switching, you need to catch them in the act. With the sampling and collection, you can call hours later (days or weeks actually, years if you count going to tape) and still determine the candidate entry points for the traffic. I don't think there is a practical way to get the same sort of historic archive from the flow switching stats. Curtis

Hi,

yes, forging a ping attack is pretty easy and can be done from anywhere with any source address

Yeah, but forging TCP syn attacks are more fun (fill up those TCBs). Denial of service attacks are a real pain, particularly as they are so easy to implement and so hard to defend against. Of course, this isn't limited to the Internet (as a person who has been victimized by a rapid redailing fax machine at 4:00 AM can attest).

the routing proximity is irrelavant, since the source is not looked at (unless filters have been put in place, such as what the upstream provider has apparently done).

About the only way you can stop this attack would be for ISPs to filter out bogus source addresses from their customers. Of course, then the mobile IP people would whine. However, given a future of more attacks of this nature, I think the mobile IP people are going to lose. Cheers, -drc