Re: DOS by Flooding a Network

From: W.G. Iyer (guhan777at_private)
Date: Mon Jun 17 2002 - 17:42:33 PDT

Next message: Jeff Kell: "New script-kiddie looking scan"

Previous message: Skip Carter: "Re: DOS by Flooding a Network"
In reply to: Richard Ginski: "DOS by Flooding a Network"
Next in thread: Vitaly Osipov: "Re: DOS by Flooding a Network"
Reply: Vitaly Osipov: "Re: DOS by Flooding a Network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

For starters you can disable all ICMP services except 
source-quench, paramter-problem,
destination-unreachable, and time-exceeded at your
border router or firewall. 

If this doesn't alleviate the problem, then you need
to identify the type of ICMP datagrams that are being
sent, you can do with a simple sniffer like tcpdump,
and then block that particular ICMP packet type. Note
I don't want to go into the merits or pitfalls of
disabling ICMP, but there are good arguments made for
both cases.

Finally I would highly reccomend adding a stateful
packet filter between your ISP and your network, take
a look at netfilter.org, so you don't "have to weather
the storm" or whatever else your ISP has in store for
you. This will allow you to have a much tighter
control over the traffic entering your network as well
as traffic orininating from your network. 

Hope this helps,
Guhan

--- Richard Ginski <rginskiat_private> wrote:
> This past weekend, we experienced the periodic
> flooding of our network.
> The flooding caused our network to be inaccessible.
> The traffic has
> mainly been ICMP: large quantities of large spoofed
> packets...similar to
> "ping-of-death. Appropriate patching has been
> applied so the actual
> attach does not shut anything down. However, it does
> succeed in flooding
> of our network rendering it inaccessible.
> 
> We are trying to figure out a way, if any, to
> mitigate this attack from
> flooding our network in the future. We tried to
> coordinate with our ISP
> upstream but they say they can't do anything....and
> we feel sending
> resets on our end would be useless and ineffective.
> We are trying to
> figure out a way to eliminate the "choke point" or
> "bottle neck" when
> the attacks occur. I feel we should be able to do
> something better than
> just "weathering the storm".
> 
> 
> Any suggestions?
> 
> TIA
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jeff Kell: "New script-kiddie looking scan"
Previous message: Skip Carter: "Re: DOS by Flooding a Network"
In reply to: Richard Ginski: "DOS by Flooding a Network"
Next in thread: Vitaly Osipov: "Re: DOS by Flooding a Network"
Reply: Vitaly Osipov: "Re: DOS by Flooding a Network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 21:03:15 PDT