From route@onyx.infonexus.com Mon Sep 16 04:09:15 1996 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id EAA24454 for ; Mon, 16 Sep 1996 04:09:14 +1000 From: route@onyx.infonexus.com Received: from onyx.infonexus.com(204.162.164.220) via SMTP by profane.adso.com.au, id smtpd24398aaa; Sun Sep 15 18:09:06 1996 Received: (qmail-queue invoked by uid 501); 15 Sep 1996 18:11:57 -0000 Message-ID: <19960915181157.10300.qmail@onyx.infonexus.com> Subject: Re: BoS: ping flood To: nimrood@tester.randomc.com (LuNaTiC FRiNGe) Date: Sun, 15 Sep 1996 11:11:57 -0700 (PDT) Cc: best-of-security@suburbia.net In-Reply-To: from "LuNaTiC FRiNGe" at Sep 15, 96 01:20:56 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit LuNaTiC FRiNGe's thoughts were: | I don't know of a way to prevent them (I imagine it could be prevented by | modifying the kernel to drop any echo request packets greater than size | X), but you can find out WHO is pinging you and then contact the proper If you wait until this point, the packets have still arrived on the network interface and traveled up the stack, until they are recognized as ICMP_ECHO packets. This will still take it's toll as a DOS attack. The only way to deal with an ICMP_ECHO flood is to drop ICMP_ECHO traffic at the NAP. | ping -v -i372727723 localhost Icmpinfo or the iplogger package are better solutions... ftp.infonexus.com/pub/ToolsOfTheTrade/Unix/CounterMeasures/Daemons/ -- [ route@infonexus.com ] Editor, Phrack Magazine / Member, Guild Corporation the greatest trick the devil ever pulled was convincing the world he didn't exist