[cisco-nas] ICMP flood (Denial of Service)

Charles Gregory cgregory at hwcn.org
Sun Feb 13 11:35:51 EST 2005


Greetings!

A week ago, our network was hit by an ICMP flood from a distributed
list of 'zombies'. We share our local net with a couple of other
organizations and this flood also impacted their service. To stop this
attack, packet filtering was applied on an upstream router, but this had
the effect of taking our web server off the net.

Is there anything we could do in the way of packet filtering to lessen the
effects of a future attack? Is it possible to block the particular form of
ICMP packets used (or *all* ICMP) without impacting net services? Would we
be able to apply this on our own router, or would the upstream provider
have to apply it? Here is a snip of log from the upstream router (after
the filter was applied):

Feb  4 17:25:51.215 EASTERN: %SEC-6-IPACCESSLOGDP: list COH-DOS permitted
icmp 0.0.0.0 -> 199.212.94.66 (0/0), 8723 packets
Feb  4 17:25:51.215 EASTERN: %SEC-6-IPACCESSLOGDP: list COH-DOS permitted
icmp 12.29.120.62 -> 199.212.94.66 (0/0), 15812 packets
Feb  4 17:28:51.539 EASTERN: %SEC-6-IPACCESSLOGDP: list COH-DOS permitted
icmp 64.83.37.136 -> 199.212.94.66 (0/0), 1337 packets
Feb  4 17:29:51.655 EASTERN: %SEC-6-IPACCESSLOGDP: list COH-DOS permitted
icmp 72.9.7.85 -> 199.212.94.66 (0/0), 6 packets

Am I correct in assuming the "(0/0)" means a bogus ICMP echo reply?
I suspect that blocking 0/0 packets would prevent pinging or traceroute
from working outbound. What about inbound? Could I only filter 0/0 while
permitting inbound 0/1 (or whatever)? 

Any and all help much appreciated.

- Charles Gregory
  HWCN Technical Supprt



More information about the cisco-nas mailing list