Steve Lang wrote:
>
> Hi.
>
> I've observed a strange behaviour recently, whereby someone with a high
> speed Internet Connection and a Win95/NT machine sends Large numbers of
> Large ICMP's around the world.
>
> At times, this has been measured at 350Kb/sec entering our network, from the
> other side of the planet. Now, with a cisco (IOS 10.2(5)) in the appropriate
> place, of course the offender can be repelled/blocked with a specific
> exclusion, and the necessary network police notified etc.
>
> However, is it possible to block ICMP Continuation messages? These are only
> valid (afaik) when an icmp is larger than one packet, but I may be wrong here.
>
> Can we explicitly block any particular type of packet that is part of a much
> larger packet?
>
> E.g.. (many many many of these per second)
>
> 207.164.106.20 -> wh3003.wave.co.nz ICMP continuation ID=104
> 207.164.106.20 -> wh3003.wave.co.nz ICMP continuation ID=360
> 207.164.106.20 -> wh3003.wave.co.nz ICMP continuation ID=616
>
> These are awfully easy to generate.... and very effective at network
> saturation, even if your hosts and routers are secured against the oversize
> ping packets.
>
> Any ideas?
>
> Cheers -
> Steve Lang, Wave internet services, Hamilton
> Fax: +64-7-838-0977 Voice: +64-7-839-1291 or 0800-80-9283
> EMail: slang @
cse .
co .
nz or slang @
wave .
co .
nz
Are you using multi-user boards in your main server such as boca, digi
etc.?
Donald R. Guillot
Network Engineer
References:
|
|
