From rob@brasaap.iaehv.nl  Sun Sep 15 22:37:26 1996
Received: from news.IAEhv.nl (root@news.IAEhv.nl [194.151.64.4]) by suburbia.net (8.7.4/Proff-950810) with SMTP id WAA19004 for <best-of-security@suburbia.net>; Sun, 15 Sep 1996 22:36:36 +1000
Received: from LOCAL (uucp@localhost) 
          by news.IAEhv.nl (8.6.13/1.63) with IAEhv.nl; pid 2265
          on Sun, 15 Sep 1996 14:33:02 +0200; id OAA02265
          efrom: rob@brasaap.iaehv.nl; eto: UNKNOWN
Received: (from rob@localhost) by brasaap.iaehv.nl (8.6.11/8.6.9) id KAA00403; Sun, 15 Sep 1996 10:20:32 +0200
From: "Rob J. Nauta" <rob@brasaap.iaehv.nl>
Message-Id: <199609150820.KAA00403@brasaap.iaehv.nl>
Subject: Re: BoS: ping flood
To: route@onyx.infonexus.com
Date: Sun, 15 Sep 1996 10:20:32 +0200 (MET DST)
Cc: best-of-security@suburbia.net
In-Reply-To: <19960915015214.27942.qmail@onyx.infonexus.com> from "route@onyx.infonexus.com" at Sep 14, 96 06:52:14 pm
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

> 
> Alfy's thoughts were:
> 
> | 
> | hello do you people know if there's a way for a system admin to prevent ping
> | floods from faster machines and which may cause a hudge slowdown of the
> | connection ? 
> 
> 	Drop ICMP_ECHO packets at the router.  There is nothing one can do to 
> 	*stop* ICMP_ECHO floods, one can only ignore them...

One must always try to find the source of the ping flood, and contact
your upstream provider, or the contact of the source network. The goal
of a ping flood is to deny you IP facilities, and to make your network
less useable. If you have to disable all ICMP_ECHO packets, the attacker
has succeeded, you are disabling a valuable part of the TCP/IP protocol.
Now your machines will seem to be down to all legitimate ping users,
and I know some scripts like automated ftp or www mirrors ping first.
You may even find your site disappearing from search engines, when it
cannot be pinged anymore.
Most ping floods are done by inexperienced kids who are fighting out
some IRC conflict, by contacting their provider they can be traced
easily and be given a warning. When they see they can be traced that
easily, they'll hopefully think twice the next time.

Rob

-- 
                               /;    ;\
                           __  \\____//     From the keyboard of
                          /{_\_/  \`'\_/__    Rob J. Nauta
   \;/                    \___   (o\  /o  }     rob@nauta.it
 __//_______________________/          :--'       rjn@pobox.com
/ //########            ####  \_    `__\
 // ######      ####   ####     \___(o'o)
=/    ###     #######    ###       `===='