Date: Mon, 05 May 1997 18:21:51 -0500 From: Alex Nash <nash@mcs.com> To: Michael Slater <slaterm@amiga.amitar.com.au> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Ping flood atacks Message-ID: <336E6B8F.7DE14518@mcs.com> References: <Pine.LNX.3.95.970506021744.2020C-100000@amiga.amitar.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Slater wrote: > earlier this evening my system with a 64k ISDN link was subjected to > an extremley vicious Ping flood attack with randomly spoofed I.P > addresses.This completly saturated our link rendering it unusable for > several hours. My question, is it in any way possible to trace such an > attack back to it's true source ? > > any info would be appriciated It's unfortunate that not everyone blocks spoofed addresses at their routers, that's only real way to prevent this kind of thing. What I would suggest to you so that you could reduce half the bandwidth consumed by such an attack is this: Compile your kernel with ipfw and deny icmptype 8 (echo request). Assuming you're not already using a firewall (i.e., running with everything wide open), these would be the commands: ipfw add deny icmp from any to your.ip.address icmptype 5 ipfw add allow all from any to any The first one swallows ICMP echo requests (incoming pings), and the second one lets all other traffic through. Personally I don't run with everything wide open, but if that's the way you're running now, it won't change the security one bit. Note that this does not prevent you from pinging other hosts, as their replies are of type 0. One other thing you might want to try: if things are quiet for a while, you might want to add the 'log' keyword to the 'deny icmp' command above. There's a good chance that the person who's pinging you will see if your host is up/echoing replies back at some point. While you obviously can't jump on the first person who pings you, if you see a pattern of repeated pings over a period of time it might give you a good indication (and you might even recognize the culprit). As with any time you use the log keyword, investigate the usage of IPFW_VERBOSE_LIMIT (see ipfw(8)). Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?336E6B8F.7DE14518>