[NCLUG] Preventing ICMP DDoS

Sean Reifschneider jafo at tummy.com
Wed Aug 6 14:23:54 MDT 2003


On Wed, Aug 06, 2003 at 11:38:55AM -0600, jeff wrote:
>A couple "techs" there were telling me to use the firewalling rules of the 
>kernel to stop it. I was explaining that by the time it hits the box, the 

Yeah, obviously that's not going to help.

>To me my options appear to be 1) pray they don't attack again or 2) buy the 
>ISP's "PIX firewall" ($$$$) or 3) go to a different ISP.

2) may not work if they're charging you bandwidth rates to the firewall,
instead of the bandwidth used behind it.

>Anyway, anyone here have a good option 4 that I'm missing? Is there some 
>super-majick voodoo in the kernel that can help here?

Well, the problem is that the packets have already used the bandwidth on
your line by the time they hit your kernel.  Other options you have are
to look at the source addresses -- do they seem to be legitimate or are
they likely to be spoofed?  If they're legit, try contacting the owners
of them.

If they aren't I don't see that you have any choice but to ask your
upstream to track it to one of their upstreams, and get them to track it
further.  The only other option I can think of is to try to get CAIDA to
look for it on the sniffer boxes they have deployed around the net to
get an idea of what ISPs are seeing it.  I'd doubt that's really an
option, unless you know somone at CAIDA really well.

Sean
-- 
 668:     Next door neighbor of the beast.
 vivivi:  The editor of the beast.
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995.  Qmail, Python, SysAdmin



More information about the NCLUG mailing list