On Thu, 6 Jul 2000 firstname.lastname@example.org wrote: > > 7/6/00 21:00 Newsgroups - There is no response. The server could be > down or is not responding > > 7/6/00 21:05 Email - There is no response. The server could be > down or is not responding We were being hit with a ICMP packet flood DOS attack which fully saturated both T1's. There is an outbound access list at Sprint that is supposed to prevent this but Cisco routers, which just about every major backbone uses, has broken packet fragment reassembly code that allows a properly fragmented packet to bypass access lists and of coarse the script kiddies have exploits to abuse this. This exploit in Cisco routers has been known since at least November of 1999, but is still not fixed. We don't use Cisco here, but since our provider (Sprint in this case) does, the packet floods can still saturate our link. We have explored using traffic shaping, or in Cisco's terms, CAR, but because CAR uses the same technology as Cisco's access list, the same packet fragment reassembly bug that allows access lists to be bypassed also allows CAR to be bypassed. We have a ticket open with Sprint, #3727594, but beyond that there isn't much we can do to stop these.