Greetings, For starters you can disable all ICMP services except source-quench, paramter-problem, destination-unreachable, and time-exceeded at your border router or firewall. If this doesn't alleviate the problem, then you need to identify the type of ICMP datagrams that are being sent, you can do with a simple sniffer like tcpdump, and then block that particular ICMP packet type. Note I don't want to go into the merits or pitfalls of disabling ICMP, but there are good arguments made for both cases. Finally I would highly reccomend adding a stateful packet filter between your ISP and your network, take a look at netfilter.org, so you don't "have to weather the storm" or whatever else your ISP has in store for you. This will allow you to have a much tighter control over the traffic entering your network as well as traffic orininating from your network. Hope this helps, Guhan --- Richard Ginski <rginskiat_private> wrote: > This past weekend, we experienced the periodic > flooding of our network. > The flooding caused our network to be inaccessible. > The traffic has > mainly been ICMP: large quantities of large spoofed > packets...similar to > "ping-of-death. Appropriate patching has been > applied so the actual > attach does not shut anything down. However, it does > succeed in flooding > of our network rendering it inaccessible. > > We are trying to figure out a way, if any, to > mitigate this attack from > flooding our network in the future. We tried to > coordinate with our ISP > upstream but they say they can't do anything....and > we feel sending > resets on our end would be useless and ineffective. > We are trying to > figure out a way to eliminate the "choke point" or > "bottle neck" when > the attacks occur. I feel we should be able to do > something better than > just "weathering the storm". > > > Any suggestions? > > TIA > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 21:03:15 PDT