From nimrood@tester.randomc.com Mon Sep 16 06:25:04 1996 Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id GAA12787 for ; Mon, 16 Sep 1996 06:25:03 +1000 Received: from tester.randomc.com(205.139.134.19) via SMTP by profane.adso.com.au, id smtpd12390aaa; Sun Sep 15 20:24:51 1996 Received: (from nimrood@localhost) by tester.randomc.com (8.7.4/8.7.3) id QAA06930; Sun, 15 Sep 1996 16:05:21 GMT Date: Sun, 15 Sep 1996 16:05:21 +0000 (GMT) From: LuNaTiC FRiNGe To: best-of-security@suburbia.net Subject: Re: BoS: ping flood In-Reply-To: <19960915181157.10300.qmail@onyx.infonexus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII > If you wait until this point, the packets have still arrived on the > network interface and traveled up the stack, until they are > recognized as ICMP_ECHO packets. This will still take it's toll > as a DOS attack. The only way to deal with an ICMP_ECHO flood is > to drop ICMP_ECHO traffic at the NAP. This is true.. I was trying to present an easy way to immediatly identify who may be doing the flooding. If the flooder isn't too bright, s/he won't be using a packet forger and would be easy to track down. Nimrood