> This past weekend, we experienced the periodic flooding of our network. > The flooding caused our network to be inaccessible. The traffic has > mainly been ICMP: large quantities of large spoofed packets...similar to > "ping-of-death. Appropriate patching has been applied so the actual > attach does not shut anything down. However, it does succeed in flooding > of our network rendering it inaccessible. > > We are trying to figure out a way, if any, to mitigate this attack from > flooding our network in the future. We tried to coordinate with our ISP > upstream but they say they can't do anything....and we feel sending > resets on our end would be useless and ineffective. We are trying to > figure out a way to eliminate the "choke point" or "bottle neck" when > the attacks occur. I feel we should be able to do something better than > just "weathering the storm". We have been seeing the same type of thing here, it started almost a week ago and became very heavy over the weekend. The packets almost look like a classical Smurf storm, but the destination IP is 255.255.255.255. This morning I created a Snort rule to record what is happening and so far I have seen 77 different supposed source addresses (which are almost certainly spoofed). Fortunately for me, my ISP is cooperating in trying to deal with these events. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skipat_private 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 15:35:47 PDT