[ale] flooding problem - a admin perspective

Russell Enderby russell.enderby at arris-i.com
Tue Dec 21 19:00:08 EST 1999


-----Original Message-----
 From:	jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
Sent:	Tuesday, December 21, 1999 10:19 AM
To:	Russell Enderby
Cc:	'ale at ale.org'; 'firewall-wizards at nfr.net'
Subject:	Re: [ale] flooding problem - a admin perspective


1) How are they flooding you ? are they flooding all the IPs you got ? or 
just one
?
If they flood just one ip, you can call your upstream provider and tell em 
to
block that IP out of their routers (If they say they can't do it, let me 
know I'll
call em and they will do it).

Just one IP.  But we dont want to block the IP then real users cannot use 
the box.  Even if it was temporary we have bandwidth sensitive folks who 
cant stand to be down 10 mins.

2) Wait and see, they will eventually stop.

However this may not solve your problem, to solve it, would be best if you 
went on
IRC and actually talked with the person he/she has pissed.

Or you can deface their webpage as it is a group of some sort that is doing 
this.
But this can get messy down the road, tried it once, trust me.

I think option 1 would be your bet.

This is no good.  They were running for like a week straight using more 
than three T1's of bandwidth to hammer on us with.  It was not a pretty 
site.

Thanks for your input.
Russell


Russell Enderby wrote:

> Background:  You are an admin for an ISP who still runs shell services 
(ie-
> eggdrops, etc).  One of the eggrdrops peves off somone on the IRC network
> and decides to take serious revenge on that user's eggdrop by ping 
flooding
> the box.
>
> The ping flood they decide is problematic, they run mutiple attacks from
> multiple providers through china so backtracing is very difficult if not
> impossible with the source ip being spoofed.
>
> You are running firewalls rules with ipfwadm to block icmp messages but 
it
> takes down your upstream providers pipe to you since they have there
> bandwidth at 80% capacity.
>
> What would you do?  Try to bandwidth limit flood attacks somehow without
> hindering other communications somewhere upstream?  Upstream providers 
WILL
> NOT put ICMP filters inplace for you so bandwidth is still consumed if 
you
> have firewalls in place.
>
> Just dont deal with the hassle and tell your shell customers to take a 
hike
> while just leaving the problem out there a real threat to anyones network
> if they 'irritate' any joe blow on the internet?
>
> This problem is a problem that is difficult to solve and anyones input on
> this would be greatly appreciated.
>
> Sincerely,
> Russell Enderby
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message 
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.






More information about the Ale mailing list