[ale] RE: flooding problem - a admin perspective

Russell Enderby russell.enderby at arris-i.com
Wed Dec 22 18:42:38 EST 1999


-----Original Message-----
 From:	Nicko Demeter [SMTP:nicko at cwnet.com]
Sent:	Wednesday, December 22, 1999 12:02 PM
To:	Russell Enderby; ale at ale.org
Cc:	firewall-wizards at nfr.net
Subject:	[ale] RE: flooding problem - a admin perspective

ICMP ping floods have been largerly addressed from vendors. In short if you
are keeping your systems up-to-date with the patches and you have a good
knowledge of how Cisco routers work and how to build route tables you are
fine.

Well I already had firewalls up to deny the packets except it does not keep 
them from still banging with a 'tribes' distributed attack and not killing 
all bandwidth to me.

[Russell Enderby]

Please note that I do believe in somehow getting rid of the client that is
caused the problem. For $10.99 it's not worth the hassle.

If they just direct the attack to the box, it is impossible to determine 
which $10.99 client is causing the trouble.  Otherwise if they port 
directed the attack then that client would already be gone.

[Russell Enderby]

---------------------------------------------------
[nicko demeter - jedi knight]




-----Original Message-----
 From: owner-firewall-wizards at lists.nfr.net
[mailto:owner-firewall-wizards at lists.nfr.net]On Behalf Of Russell
Enderby
Sent: Tuesday, December 21, 1999 6:25 AM
To: 'ale at ale.org'
Cc: 'firewall-wizards at nfr.net'
Subject: flooding problem - a admin perspective



Background:  You are an admin for an ISP who still runs shell services (ie-
eggdrops, etc).  One of the eggrdrops peves off somone on the IRC network
and decides to take serious revenge on that user's eggdrop by ping flooding
the box.

The ping flood they decide is problematic, they run mutiple attacks from
multiple providers through china so backtracing is very difficult if not
impossible with the source ip being spoofed.

You are running firewalls rules with ipfwadm to block icmp messages but it
takes down your upstream providers pipe to you since they have there
bandwidth at 80% capacity.

What would you do?  Try to bandwidth limit flood attacks somehow without
hindering other communications somewhere upstream?  Upstream providers WILL
NOT put ICMP filters inplace for you so bandwidth is still consumed if you
have firewalls in place.

Just dont deal with the hassle and tell your shell customers to take a hike
while just leaving the problem out there a real threat to anyones network
if they 'irritate' any joe blow on the internet?

This problem is a problem that is difficult to solve and anyones input on
this would be greatly appreciated.

Sincerely,
Russell Enderby


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.






More information about the Ale mailing list