- To: beabout@eskimo.com
- Subject: Re: Thank you!
- From: Robert Dinse <nanook@eskimo.com>
- Date: Thu, 6 Jul 2000 19:23:10 -0700 (PDT)
- cc: outages-list@eskimo.com
- In-Reply-To: <39653C5C.7EAFA6EA@eskimo.com>
- Resent-Date: Thu, 6 Jul 2000 19:23:14 -0700
- Resent-From: outages-list@eskimo.com
- Resent-Message-ID: <"0eIla.0.6h7.IyJPv"@mx1>
- Resent-Sender: outages-list-request@eskimo.com
- Prev by Date: When it rains.. Eskimo..
- Next by Date: Eskimo
- Prev by thread: Eskimo
- Next by thread: When it rains.. Eskimo..
- Index(es):
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Thank you!
On Thu, 6 Jul 2000 beabout@eskimo.com wrote:
>
> 7/6/00 21:00 Newsgroups - There is no response. The server could be
> down or is not responding
>
> 7/6/00 21:05 Email - There is no response. The server could be
> down or is not responding
We were being hit with a ICMP packet flood DOS attack which fully
saturated both T1's.
There is an outbound access list at Sprint that is supposed to prevent
this but Cisco routers, which just about every major backbone uses, has broken
packet fragment reassembly code that allows a properly fragmented packet to
bypass access lists and of coarse the script kiddies have exploits to abuse
this.
This exploit in Cisco routers has been known since at least November of
1999, but is still not fixed. We don't use Cisco here, but since our provider
(Sprint in this case) does, the packet floods can still saturate our link.
We have explored using traffic shaping, or in Cisco's terms, CAR, but
because CAR uses the same technology as Cisco's access list, the same packet
fragment reassembly bug that allows access lists to be bypassed also allows CAR
to be bypassed.
We have a ticket open with Sprint, #3727594, but beyond that there isn't
much we can do to stop these.