[NCLUG] Preventing ICMP DDoS

[Stephen G. Smith]

Strange, the ISP (upstream) should consider this an attack on THEIR
network.
If they won't block the attack AND work to research and eliminate the
problem, I suggest finding a new ISP.

Perhaps a "bitch list" type of mailing to the offending network's abuse
dept and management?

Dropping packets only after they reach your network could be a mission
in futility.

Stephen G. 


-----Original Message-----
From: nclug-admin at nclug.org [mailto:nclug-admin at nclug.org] On Behalf Of
jeff
Sent: Wednesday, August 06, 2003 11:39 AM
To: nclug at nclug.org
Subject: [NCLUG] Preventing ICMP DDoS

I have a server that was under an ICMP-based DDoS attack. It was enough
to 
flood the 100Mbit ethernet card.

After some arm twisting I was able to get the ISP to filter out ICMP to
the 
target IP on one of their upstream routers. Everything was jolly again.
The 
problem is that it is against the "policy" of this ISP to do such
filtering 
and they are only doing it until the weekend. After that the attack may
come 
back or may still be running.

A couple "techs" there were telling me to use the firewalling rules of
the 
kernel to stop it. I was explaining that by the time it hits the box,
the 
bandwidth is already gone so it doesn't matter if I filter there or not.

To me my options appear to be 1) pray they don't attack again or 2) buy
the 
ISP's "PIX firewall" ($$$$) or 3) go to a different ISP.

I don't think I can count on 1. I don't want to do 2. 3 is kind of a
drag 
since it involves coordinating lots of volunteers (I can't just move
stuff 
myself) & lots of work (plus the contract).

Anyway, anyone here have a good option 4 that I'm missing? Is there some

super-majick voodoo in the kernel that can help here?

Thanks,

-Jeff
_______________________________________________
NCLUG mailing list       NCLUG at nclug.org

To unsubscribe, subscribe, or modify your settings, go to:
http://www.nclug.org/mailman/listinfo/nclug