Security Incidents mailing list archives
Re: Ping flood? Whats the point?
From: k.baker () ITS CANTERBURY AC NZ (Kerry Baker)
Date: Tue, 8 Feb 2000 14:42:02 +1300
We're currently a victim of this sort of attack - but of a different kind. Someone spoofed the IP address of our web cache and flooded a server at pair.com. This is a web server hosting company and they promptly blocked access from our web cache to all the sites they host (several thousand including well known ones). Our users put up with being unable to access their favourite sites for a couple of weeks before letting me know there was a problem. It took some time for me to figure out that they were blocking us for some reason and several days before I received a reply to the email I sent them about it. I have just sent an email back asking them to remove the block as we weren't responsible for the attack. Now fair enough for them to block access until they could figure out who was responsible, but it brasses me off that they permanently blocked access and didn't bother to contact us. I'm more brassed off with the network admin who allowed the spoofed packets to originate from their network in the first place. The only way to stop this sort of attack taking place is to only allow legitimate source addresses in packets leaving your networks. Come on people! Lets all make an effort to stamp this out. Regards, Kerry. ------------------------------------------------------------------- Kerry Baker Phone: +64 3 364 2336 NETWORK CONSULTANT Fax: +64 3 364 2332 Information Technology Services http://www.canterbury.ac.nz University of Canterbury mailto:k.baker () its canterbury ac nz Christchurch, New Zealand
-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Chuck Phillips Sent: Sunday, 6 February 2000 08:07 To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Ping flood? Whats the point? Andy David writes: > The ip's of course were spoofed, but the only way I was really able to > tell was after decoding some of the packets my firewall captured (from > different ip's) I found that the senders MAC address was identical > throughout the entire attack. A common MAC address is to be expected if there is a common router between you and the different IPs, spoofed or not. MAC addresses are useful for debugging non-malicious problems on your local network and not a lot more. Further, if someone r00ts a machine on your local network, even the MAC address can be spoofed. Most modern NICs allow this. This "feature" allows transparent fail over (no routing/arp changes), but it would be nice if this feature required a _physical jumper change_ to enable and were *not* enabled by default. Oh, well. Maybe someday the manufacturers will catch on to this. Chuck
Current thread:
- Ping flood? Whats the point? Bill Pennington (Feb 01)
- Re: Ping flood? Whats the point? Ryan Sweat (Feb 02)
- <Possible follow-ups>
- Re: Ping flood? Whats the point? Don (Feb 02)
- tracing spoofing (Was Re: Ping flood? Whats the point?) Dragos Ruiu (Feb 03)
- Re: Ping flood? Whats the point? Andy David (Feb 03)
- Re: Ping flood? Whats the point? Bill Pennington (Feb 05)
- Re: Ping flood? Whats the point? Russell Fulton (Feb 06)
- Re: Ping flood? Whats the point? Chuck Phillips (Feb 05)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 07)
- Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 08)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 08)
- Re: Ping flood? Whats the point? Russell Fulton (Feb 09)
- Re: Ping flood? Whats the point? Thomas Vincent (Feb 09)
- Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 09)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 07)
