From owner-freebsd-isp Thu Nov 21 23:17:29 1996 Return-Path: owner-isp Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA00155 for isp-outgoing; Thu, 21 Nov 1996 23:17:29 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA00150 for ; Thu, 21 Nov 1996 23:17:24 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id XAA10741 for ; Thu, 21 Nov 1996 23:33:23 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id XAA11487 for ; Thu, 21 Nov 1996 23:13:19 -0800 Date: Thu, 21 Nov 1996 23:13:18 -0800 (PST) From: Michael Dillon To: isp@freebsd.org Subject: Re: ICMP Ping Flood tracing In-Reply-To: Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 21 Nov 1996, Veggy Vinny wrote: > Is there anyway to trace ICMP Ping Floods to see where the source > machine is that is flooding your machine? Thanks. If they all have the same source address that is likely to be their origin so contact the admin's of the site containing that address. Otherwise you may have to track it back one hop at a time with the help of your service provider. They *WILL* do this for ping flood attacks and for SYN flood attacks but you may have to hammer them over the head to get to talk to the right people. In other words, if you get a tech support droid that says "Huh?" tell them it is an emergency and that your site is under attack and that you need to talk to their security department NOW! Time is usually of the essence in tracking these attacks back to source when they are using forged source addresses. Michael Dillon - ISP & Internet Consulting Memra Software Inc. - Fax: +1-604-546-3049 http://www.memra.com - E-mail: michael@memra.com