More on Ping Flood attacks (today's tasty bit)

Keith Dawson (dawson@world.std.com)
Sat, 2 Aug 1997 12:42:42 -0400


8/2/97:

..More on Ping Flood attacks

I first wrote about these attacks two days ago. Here is an expand-
ed article with more detail about the workings of the attack and
its apparent deliterious effect on an important Internet switching
center.

Yet another kind of denial-of-service attack, the Ping Flood, has
been on the upswing in recent days. It uses the Internet Control
Message Protocol to fool an innocent network into amplifying an
attack's firepower. Here's how the laser-like amplification works,
as described on a network operations mailing list:

> evil.com -> generates packet with forged address as
> (victim.com(icmp_echo)) -> destination for spoofed
> packet (44 broadcast addresses).

> From here... all 44 network's broadcast address pass
> the icmp with the forged address on to all machines
> using that network. Each machine then replies as:

> xxx.xxx.xxx.255
> abused.net.com (echo_reply) -> victim.com
> abused2.net.com (echo_reply) -> victim.com
> yyy.yyy.yyy.255
> abused3.othernet.com (echo_reply) -> victim.com
> abused4.othernet.com (echo_reply) -> victim.com

> [...etc...]

Ping Flooding is not to be confused with the Ping of Death [1] or
with SYN Flooding [2]. (Paying attention? There will be a test.)
Like most of its fellows the technique is not new: one poster to
an ISP mailing list described a lively trade in Ping Flood pro-
grams at UC Berkeley in the late 80s. The recent uptick in the
attacks seems to be due to such a program circulating anew. A net-
work operator in Texas recently posted part of a program called
Smurf, which is now being "passed around like candy." He requested
help from the operators in charge of any of 44 IP addresses listed
in the code. These were supposedly the broadcast addresses of ma-
chines whose networks might be used to amplify Ping Flood attacks
(though when I checked just now I found only 2 of the 44 to be
valid addresses). Of course, recipients of this source code could
substitute other valid network addresses, but most of them prob-
ably wouldn't bother.

One of the IPs hard-coded into Smurf is, rather alarmingly,the
broadcast address of MAE-East, a switching center outside of Wash-
ington, DC, through which passes some 15% of all Internet traffic.

See [3] for a graph showing a typical day's traffic at one of the
MAE-East switches before the Ping Flood attacks began (these data
are from 7/12). Now compare [4], a composite graph of the most re-
cent 5 days. Here's an operator speculating on what all those sus-
picious drops to zero might mean.

> 1. Send a Cisco enough (a thousand a second) ICMP ECHO
> REQUESTS, and it takes CPU to 99% and drops all BGP
> sessions. Tested on a C7010.

> 2. Various routers on MAE-East have been mysteriously
> clearing all their BGP peers over the past week or
> two.

> 3. The attack mentioned causes a lot of ICMP ECHO REQUESTS
> to be sent to Cisco routers on MAE-East.

> Are these facts by any chance related?

To defuse the technique a network operator can set a router to
block ICMP messages from particular IP addresses, or to block all
ICMP packets. Of course, doing so breaks some programs that rely
on ICMP. Another fix is not to broadcast incoming Pings, but simply
to echo or absorb them, effectively denying an attacker any ampli-
fication.

[1] http://www.tbtf.com/archive/11-12-96.html
[2] http://www.tbtf.com/archive/09-23-96.html
[3] http://www.mfsdatanet.com:80/MAE/east.giga.970712.html
[4] http://www.mfsdatanet.com:80/MAE/east.giga.overlay.html

_______________________________________________
Keith Dawson dawson@world.std.com
Layer of ash separates morning and evening milk.