Incoming DDoS Attack, It Looks Like An ICMP Attack, So What Do I block?

view full story

http://serverfault.com – I recently have been getting hit by an attack that is very small around 70MBPS but causes TONS of upload...All signs point to ICMP. I realized in my firewall I have CSF firewall running on CentOS, that I had no limit on my outgoing ICMP rate...Woops. :P Anything else I should block? We are primarily game servers so obviously blocking all incoming ICMP traffic is a no no. Or is it? That's why I'm here :D Thanks for any tips, Jeremy **Also quick edit, we are on a 100MBPS port and the current firewall is able to block generic DDoS attacks excess of 600MB without breaking a sweat. (HowTos)

Submitted by xskl on 08/06/2012 – Made popular on 08/06/2012

Login or register to post comments
Email this page

Stories similar to Incoming DDoS Attack, It Looks Like An ICMP Attack, So What Do I block?

iptables | Types of ICMP: which ones are (potentially) harmful? 1 year 22 weeks ago

I read that certain types¹ of ICMP packets can be harmful. Questions:

Which ones and why? How should I layout an iptables ruleset to handle each type of ICMP packet? Should I rate-limit any of these types of ICMP packets? And how?

[¹] The types I read about: Redirect (5), Timestamp (13) and Address Mask Request (17).

How to stop a ICMP attack? 32 weeks 5 days ago

We are under a heavy icmp flood attack. Tcpdump shows the result below. Altough we have blocked ICMP with iptables tcpdump still prints icmp packets. I've also attached iptables configuration and "top" result.

Why is my CentOS box rejecting some (but not all) ICMP ping requests from the same remote host? 35 weeks 2 days ago

CentOS 4.x

I've got several old CentOS 4.x systems and have configured iptables to allow ICMP traffic.

Blocking ICMP outgoing requests only in eth1 28 weeks 5 days ago

I am creating a NAT with iptables:

Computer A: eth0 (dhcp) + eth1 (static ip 192.168.0.1 - gateway) Computer B: eth1 (static ip 192.168.0.2, using Computer A as gateway)

I know how to block ICMP outgoing requests (-A OUTPUT -p icmp --icmp-type echo-request -j DROP), but that would block ICMP requests from Computer A, but not from Computer B (in fact, only for Computer A - Computer B can keep doi

iptables will match the following ICMP request packet as ESTABLISHED state after the first reply packet is sent 21 weeks 7 hours ago

In iptables, I added the rules as below to limit the incoming icmp request packet rate. But it didn't work. Because after the 1st incoming icmp request was accepted by the 1st rule and my host replied, all the following icmp request will accepted by the 2nd rule, which will accept the incoming icmp request as ESTABLISHED state packet.

pfSense + DDoS Protection 27 weeks 9 hours ago

I run a gaming community on a colo with a 100Mbps port. I want to buy a very cheap 35 dollar server with the same 100Mbps port, and run pfSense to use as a hardware firewall. I'm dealing with a bunch of 14 year old kids that have access to botnets, so it can become a bit necessary to get something like this.

ICMP rate-limit on time-exceeded messages 18 weeks 4 days ago

How can I set ICMP rate-limiting in a Cisco router? Here on the manual page they only talk about ICMP unreachable messages:

ip icmp rate-limit unreachable [df] [ms] [log [packets] [interval-ms]]

Is there anything that also includes other ICMP message types? For instance, what if I want to set a limit on the number of time-exceeded messages sent?

Using ICMP And ICMP6 Service Objects In Firewall Builder 3 years 44 weeks ago

Using ICMP And ICMP6 Service Objects In Firewall Builder

iptables matching syntax 15 weeks 8 hours ago

For the following iptables rule:

iptables -A INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT

I am not sure what the point of "-m" is given that "-p" is already present. Does it serve any purpose in this case?