- To: outages-list@eskimo.com
- Subject: Denial of Service Attack
- From: Robert Dinse <nanook@eskimo.com>
- Date: Mon, 16 Nov 1998 12:48:49 -0800 (PST)
- Resent-Date: Mon, 16 Nov 1998 12:49:23 -0800
- Resent-From: outages-list@eskimo.com
- Resent-Message-ID: <"zNVtU2.0.Gl7.I_8Ks"@mx1>
- Resent-Sender: outages-list-request@eskimo.com
- Prev by Date: Mail Problems 11am-12:15 or so 11/15/98
- Next by Date: Sprintlink down 11-16-98
- Prev by thread: Sprintlink down 11-16-98
- Next by thread: Denial of Service Attack
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Denial of Service Attack
Todays network outage was caused by a denial of service attack known
as a "smurf" attack.
In this type of attack, the attacker finds a network with high
bandwidth, a lot of hosts, and open network broadcast addresses (all sites
SHOULD have ICMP blocked to their broadcast addresses).
They then fire off rapid ICMP echo request packets (essentially a
ping) with the source address forged to be the address of the target
machine.
This causes EVERY machine on the intermediate network to send an ICMP
echo request to the forged source address, which in this case was one of
our machines (chat). In this particular case the volume was so heavy that
it totally saturated both T1's with this bogus ICMP traffic preventing
legitimate traffic from getting through.
I contacted the intermediate site and instructed their admin with
regards to what to do to prevent their site from being used in an
intermediary in this kind of attack. Unfortunately, there are many
unsecured sites on the Internet so this kind of attack is inevitable from
time to time.