From nimrood@tester.randomc.com  Mon Sep 16 06:25:04 1996
Received: (sendmail@localhost) by suburbia.net (8.7.4/Proff-950810) id GAA12787 for <best-of-security@suburbia.net>; Mon, 16 Sep 1996 06:25:03 +1000
Received: from tester.randomc.com(205.139.134.19)
 via SMTP by profane.adso.com.au, id smtpd12390aaa; Sun Sep 15 20:24:51 1996
Received: (from nimrood@localhost) by tester.randomc.com (8.7.4/8.7.3) id QAA06930; Sun, 15 Sep 1996 16:05:21 GMT
Date: Sun, 15 Sep 1996 16:05:21 +0000 (GMT)
From: LuNaTiC FRiNGe <nimrood@tester.randomc.com>
To: best-of-security@suburbia.net
Subject: Re: BoS: ping flood
In-Reply-To: <19960915181157.10300.qmail@onyx.infonexus.com>
Message-ID: <Pine.LNX.3.91.960915160034.6912C-100000@tester.randomc.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


> 	If you wait until this point, the packets have still arrived on the 
> 	network interface and traveled up the stack, until they are 
> 	recognized as ICMP_ECHO packets.  This will still take it's toll
> 	as a DOS attack.  The only way to deal with an ICMP_ECHO flood is
> 	to drop ICMP_ECHO traffic at the NAP.

This is true.. I was trying to present an easy way to immediatly identify 
who may be doing the flooding. If the flooder isn't too bright, s/he 
won't be using a packet forger and would be easy to track down.

Nimrood