How to enable ICMP ECHO but still protect against ICMP DoS attacks? [WAS: Are ICMP packets not important for a hosted machine?]

How to enable ICMP ECHO but still protect against ICMP DoS attacks? [WAS: Are ICMP packets not important for a hosted machine?]

Shachar Shemesh shachar at shemesh.biz
Wed Oct 20 07:18:02 IST 2010 

On 19/10/10 21:34, Maxim Veksler wrote:
> Follow up question:
>
> ICMP can be used for DoS. Cool.
>
First, let's distinguish between a DoS attack and a DDoS attack.

Denial of Service is when there is a bug in the victim's machine, which 
I can exploit in order to take it out. Send an IP packet to unpatched 
Windows 98 which is a fragment with large offset (close to the 64KB 
limit on IP packets), and a size that takes it over that limit, and the 
machine will blue screen within a couple of seconds. Since the original 
attack used ping packets to do this, this attack is called "ping of 
death". All the attacker had to do was send a single packet.

Distributed Denial of Service, on the other hand, does not require any 
bug in the OS at all. It means that the attacker has gathered enough raw 
power in order to flood the machine with more traffic than it can 
handle. DDoS can be used against any host, given enough attacking 
machines (which are, of course, hacked zombies), provided any free path 
in through the firewall. In fact, most DDoS attacks I've seen have not 
even reached the host, instead taking out routers on the way to the 
host. Typically the router for the last network, but on one occasion the 
ISP's peer routers to the upstream provider abroad.
> How does google battle with that? All google services are ping'able 
> (which is very cool obviously).
>
See below for why "ping" isn't an issue. Google battles DDoS by having 
many many many servers, distributed geographically. The attackers, thus, 
do not have enough raw power to overcome Google. In fact, Google's 
legitimate traffic is, probably, so high, that the best botnet cannot 
raise that by over a few percents (few - up to 100%). Compare this with 
the typical DDoS, that raises the amount of traffic by millions of 
percents, and you see why Google are hard to attack.
> How do they protect against the attack?, surly there are enough script 
> kiddies that constantly try to DoS Google.
>
The question is a bit naive.

ICMP echo request is no different than any other non-filtered packet. 
Since your server is on line, you have to allow some traffic through, 
and an attacker can always choose that as the basis for her DDoS. In 
fact, given Google's setup, attacking through ping is more than silly. 
ICMP echo requests are very easy for the machine to handle, and can be 
blocked on an ad-hock basis without  disrupting Google's main service. 
If the attacker were to send TCP SYN packets on port 80, on the other 
hand, these are small (about 44-60 bytes, depending on the type of OS 
you want to pretend they come from), unfilterable (look identical to the 
legitimate traffic), and require a lot of actions on the server side 
(set up a TCP socket, decide what the reply sequence number should be, 
parse all of the TCP options). If I were an attacker, I wouldn't bother 
with a ping flood where a SYN flood would work so much better, which 
might explain why Google doesn't bother with a ping flood either.

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com

More information about the Linux-il mailing list