[ale] flooding problem - a admin perspective

[Jeff Walters]

Maybe this seems like a naive viewpoint, but could you not get the FBI
involved?  After all, 3 T1's worth of bandwith in ICMP packets from one
source for a week would seem to be traceable, even with spoofing and routing
tricks to hide the source address.

Once an employee at my company was escorted by the FBI (not local police) from
work to federal prison for sneaking a company laptop out (with proprietary
information on it) and selling it at a pawn shop.  Seems they would also be
interested in this, and could fairly easily track down the source ISP for these
packets.

On Tue, 21 Dec 1999, you wrote:
> -----Original Message-----
> From:	jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
> Sent:	Tuesday, December 21, 1999 10:19 AM
> To:	Russell Enderby
> Cc:	'ale at ale.org'; 'firewall-wizards at nfr.net'
> Subject:	Re: [ale] flooding problem - a admin perspective
> 
> 
> 1) How are they flooding you ? are they flooding all the IPs you got ? or 
> just one
> ?
> If they flood just one ip, you can call your upstream provider and tell em 
> to
> block that IP out of their routers (If they say they can't do it, let me 
> know I'll
> call em and they will do it).
> 
> Just one IP.  But we dont want to block the IP then real users cannot use 
> the box.  Even if it was temporary we have bandwidth sensitive folks who 
> cant stand to be down 10 mins.
> 
> 2) Wait and see, they will eventually stop.
> 
> However this may not solve your problem, to solve it, would be best if you 
> went on
> IRC and actually talked with the person he/she has pissed.
> 
> Or you can deface their webpage as it is a group of some sort that is doing 
> this.
> But this can get messy down the road, tried it once, trust me.
> 
> I think option 1 would be your bet.
> 
> This is no good.  They were running for like a week straight using more 
> than three T1's of bandwidth to hammer on us with.  It was not a pretty 
> site.
> 
> Thanks for your input.
> Russell
> 
> 
> Russell Enderby wrote:
> 
> > Background:  You are an admin for an ISP who still runs shell services 
> (ie-
> > eggdrops, etc).  One of the eggrdrops peves off somone on the IRC network
> > and decides to take serious revenge on that user's eggdrop by ping 
> flooding
> > the box.
> >
> > The ping flood they decide is problematic, they run mutiple attacks from
> > multiple providers through china so backtracing is very difficult if not
> > impossible with the source ip being spoofed.
> >
> > You are running firewalls rules with ipfwadm to block icmp messages but 
> it
> > takes down your upstream providers pipe to you since they have there
> > bandwidth at 80% capacity.
> >
> > What would you do?  Try to bandwidth limit flood attacks somehow without
> > hindering other communications somewhere upstream?  Upstream providers 
> WILL
> > NOT put ICMP filters inplace for you so bandwidth is still consumed if 
> you
> > have firewalls in place.
> >
> > Just dont deal with the hassle and tell your shell customers to take a 
> hike
> > while just leaving the problem out there a real threat to anyones network
> > if they 'irritate' any joe blow on the internet?
> >
> > This problem is a problem that is difficult to solve and anyones input on
> > this would be greatly appreciated.
> >
> > Sincerely,
> > Russell Enderby
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
> body.
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
-- 
Message of the Message:
You can't hold a man down without staying down with him.
		-- Booker T. Washington
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.