[NCLUG] Preventing ICMP DDoS

Sean Reifschneider jafo at tummy.com
Wed Aug 6 14:04:56 MDT 2003 

On Wed, Aug 06, 2003 at 12:00:13PM -0600, Stephen G. Smith wrote:
>Strange, the ISP (upstream) should consider this an attack on THEIR
>network.

A few ISPs seem to have a policy that they're just a carrier and let all
traffic through.  It's pretty easy to see why you'd do that as an ISP:
you don't have to dedicate staff time to managing the routing policies
and you bill based on bandwidth used.  Then you run into cases like FRII
where they were stating this was the policy but at the same time they
were forcing at least their dial/dsl customers to go through an HTTP
caching proxy.

Actually, we were the target of a DoS/DDoS when we had a DSL line
through FRII as well.  I had always kind of assumed that it was someone
who had mis-typed the IP of the real target of their attack because I
couldn't imagine why anyone would target us.  Since we moved away from
FRII, we haven't had any problems.  So maybe it was more FRII that was
the target?

Anyway, FRII was threatening that they would only leave the ICMP block
up for us for a week.  I told them I didn't want ICMP blocked either,
and would be fine with them taking the block down as soon as the attack
was tracked to it's source.  The attack was using spoofed source
addresses, so the only way to track it was for each ISP along the route
to find out what other ISP they were getting it from and request them to
track it down.  FRII was saying they were doing that, but never made any
progress on it and never removed the ICMP block.

>Perhaps a "bitch list" type of mailing to the offending network's abuse
>dept and management?

Depending on the attack, it can be very hard to do that.  Many types of
attacks don't have to have a valid source address to do, so the source
IP of the attack may not be the real source IP of the attack.  Many ISPs
don't implement appropriate filters on their network to ensure that
packets they send are from their own IPs.  At NCIC, we also drop inbound
packets that are in the ARIN reserved IP space.

Evi Nemeth was once talking about this sort of filtering and said that
while the InterNet is growing, the amount of clue on the net remains
constant.

>Dropping packets only after they reach your network could be a mission
>in futility.

Indeed.  I'm shocked that somone at the ISP would even recommend that.
I hope they were just joking.

Sean
-- 
 On seeing a girl with a pierced tongue, he thought, "Just like
 Microsoft.  Can't do the job right, so throw hardware at it."
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin

More information about the NCLUG mailing list