Security Incidents mailing list archives

Re: Ping flood? Whats the point?


From: k.baker () ITS CANTERBURY AC NZ (Kerry Baker)
Date: Tue, 8 Feb 2000 14:42:02 +1300


We're currently a victim of this sort of attack - but of a different kind.
Someone spoofed the IP address of our web cache and flooded a server at
pair.com.  This is a web server hosting company and they promptly blocked
access from our web cache to all the sites they host (several thousand
including well known ones).  Our users put up with being unable to access
their favourite sites for a couple of weeks before letting me know there was
a problem.  It took some time for me to figure out that they were blocking
us for some reason and several days before I received a reply to the email I
sent them about it.  I have just sent an email back asking them to remove
the block as we weren't responsible for the attack.

Now fair enough for them to block access until they could figure out who was
responsible, but it brasses me off that they permanently blocked access and
didn't bother to contact us.
I'm more brassed off with the network admin who allowed the spoofed packets
to originate from their network in the first place.

The only way to stop this sort of attack taking place is to only allow
legitimate source addresses in packets leaving your networks.  Come on
people!  Lets all make an effort to stamp this out.

Regards,
Kerry.

-------------------------------------------------------------------
Kerry Baker                      Phone: +64 3 364 2336
NETWORK CONSULTANT                 Fax: +64 3 364 2332
Information Technology Services   http://www.canterbury.ac.nz
University of Canterbury        mailto:k.baker () its canterbury ac nz
Christchurch, New Zealand

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Chuck Phillips
Sent: Sunday, 6 February 2000 08:07
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Ping flood? Whats the point?


Andy David writes:
 > The ip's of course were spoofed, but the only way I was really able to
 > tell was after decoding some of the packets my firewall captured (from
 > different ip's) I found that the senders MAC address was identical
 > throughout the entire attack.

A common MAC address is to be expected if there is a common router between
you and the different IPs, spoofed or not.  MAC addresses are useful for
debugging non-malicious problems on your local network and not a lot more.

Further, if someone r00ts a machine on your local network, even the MAC
address can be spoofed.  Most modern NICs allow this.  This "feature"
allows transparent fail over (no routing/arp changes), but it
would be nice
if this feature required a _physical jumper change_ to enable and were
*not* enabled by default.  Oh, well.  Maybe someday the manufacturers will
catch on to this.

      Chuck


Current thread: