nanog mailing list archives

RE: ISP's who filter ICMP during DoS?

From: "David Schwartz" <davids () webmaster com>
Date: Thu, 28 Jun 2001 15:58:14 -0700



        Filtering ICMP packets in DDoS attacks just makes the attacker attack
harder. It's not a useful strategy except when protecting very slow links
(T1 to 10Mbps) against very light attacks (32Mbps or less). The last few
DDoS attacks I've tried to filter have resulted in attacks so significant
there was nothing you could do at all. You will prompt a series of
escalations this way.

        One new trick if the attacker can spoof is to take out a server on port 123
for IP 1.2.3.4 by swamping you with spoofed TCP SYN packets to that IP and
port. The source IPs tend to be chosen from areas rich in major government
and military sites. Filter them and the server is offline. Reply to them,
and you are flooding thousands of innocent victims (with powerful response
tactics) with unsolicited SYN ACK replies.

        If the attacker can't spoof, the sources are usually tracked and shutdown.
Filtering just makes it so that you can't do the tracking and shutting down.
So what's the good?

        Perhaps other people's experiences differ from mine.

        DS

Current thread:

ISP's who filter ICMP during DoS? ASV (Jun 28)
- RE: ISP's who filter ICMP during DoS? David Schwartz (Jun 28)
- Re: ISP's who filter ICMP during DoS? Pim van Riezen (Jun 28)
- Re: ISP's who filter ICMP during DoS? Rafi Sadowsky (Jun 29)
- <Possible follow-ups>
- RE: ISP's who filter ICMP during DoS? Los, Ralph (Jun 29)
  - RE: ISP's who filter ICMP during DoS? Christopher L. Morrow (Jun 29)