How to stop ICMP DDoS ?

Hello,

Please help to stop icmp ddos attacks. I'm not usind any web hosting software (apache, mysql, exim etc) just ssh and hlds.

Here is log from tcpdump:
22:32:06.218189 IP 188.49.24.110 > cs: ICMP echo request, id 53484, seq 46586, length 1472
22:32:06.219013 IP 186.214.40.204.static.host.gvt.net.br > cs: icmp
22:32:06.219548 IP Dynamic-IP-1868338111.cable.net.co > cs: ICMP echo request, id 34826, seq 41701, length 1376
22:32:06.220599 IP Dynamic-IP-1868338111.cable.net.co > cs: icmp
22:32:06.221685 IP Dynamic-IP-1868338111.cable.net.co > cs: icmp
22:32:06.221693 IP Dynamic-IP-1868338111.cable.net.co > cs: icmp
22:32:06.221858 IP 189.50.123.126.g8.gna.cho.g8networks.com.br > cs: ICMP echo request, id 50179, seq 35211, length 1480
22:32:06.227700 IP cs.13337 > 188-95-212-29.telset.ee.59045: Flags [P.], seq 16065:17013, ack 2860, win 257, length 948
22:32:06.230584 IP dsl-189-173-66-12-dyn.prod-infinitum.com.mx > cs: icmp
22:32:06.232912 IP 190.34.55.4 > cs: icmp
22:32:06.232922 IP 72.252.24.245 > cs: ICMP echo request, id 14345, seq 56288, length 1480
22:32:06.233128 IP 72.252.24.245 > cs: icmp
22:32:06.233394 IP 72.252.24.245 > cs: icmp
22:32:06.233401 IP 72.252.24.245 > cs: icmp
22:32:06.234017 IP 132.115.in-addr.arpa > cs: ICMP echo request, id 47108, seq 52761, length 1472
22:32:06.236240 IP dsl-187-198-20-232-dyn.prod-infinitum.com.mx > cs: ICMP echo request, id 26634, seq 24739, length 1472
22:32:06.241457 IP 109-186-28-102.bb.netvision.net.il > cs: ICMP echo request, id 53255, seq 38376, length 1472
22:32:06.248835 IP 109-186-28-102.bb.netvision.net.il > cs: icmp
22:32:06.249739 IP na-201-156-28-202.static.avantel.net.mx > cs: icmp
22:32:06.252571 IP 92.99.89.196 > cs: ICMP echo request, id 61675, seq 14431, length 1256
22:32:06.255362 IP Dynamic-IP-1868338111.cable.net.co > cs: ICMP echo request, id 34826, seq 14822, length 1376
22:32:06.255491 IP Dynamic-IP-1868338111.cable.net.co > cs: icmp
22:32:06.258228 IP 88.243.136.13 > cs: ICMP echo request, id 19458, seq 5059, length 1456
22:32:06.262125 IP 186.214.40.204.static.host.gvt.net.br > cs: icmp
22:32:06.263428 IP dsl-189-186-140-126-dyn.prod-infinitum.com.mx > cs: ICMP echo request, id 24578, seq 31762, length 1472
22:32:06.264141 IP 109-186-28-102.bb.netvision.net.il > cs: icmp
22:32:06.272861 IP 201.171.84.242.dsl.dyn.telnor.net > cs: icmp
22:32:06.274201 IP 137-65-136-186.fibertel.com.ar > cs: icmp
22:32:06.277670 IP 109-186-28-102.bb.netvision.net.il > cs: icmp
22:32:06.286239 IP 190.34.55.4 > cs: icmp
22:32:06.286248 IP hst-225-187.splius.lt.epicon > cs.igrid: UDP, length 25
22:32:06.286260 IP cs > hst-225-187.splius.lt: ICMP cs udp port igrid unreachable, length 61
22:32:06.292892 IP 109-186-28-102.bb.netvision.net.il > cs: icmp
22:32:06.293186 IP 168.167.183.156 > cs: icmp
22:32:06.298208 IP 189-210-61-78.static.axtel.net > cs: ICMP echo request, id 33798, seq 61157, length 1480
22:32:06.298570 IP 94.41.235.205.dynamic.neft.ufanet.ru.media-agent > cs.27077: UDP, length 25
22:32:06.298586 IP cs > 94.41.235.205.dynamic.neft.ufanet.ru: ICMP cs udp port 27077 unreachable, length 61
22:32:06.307441 IP 109-186-28-102.bb.netvision.net.il > cs: icmp
22:32:06.307824 IP na-201-156-28-202.static.avantel.net.mx > cs: ICMP echo request, id 61557, seq 32524, length 1472
22:32:06.312355 IP dsl-187-171-170-202-dyn.prod-infinitum.com.mx > cs: ICMP echo request, id 62477, seq 58225, length 1472
22:32:06.312685 IP 46-117-197-81.bb.netvision.net.il > cs: ICMP echo request, id 26630, seq 44986, length 1480
22:32:06.314246 IP pc-168-144-241-201.cm.vtr.net > cs: icmp
22:32:06.314256 IP 109-186-28-102.bb.netvision.net.il > cs: icmp
22:32:06.319585 IP 137-65-136-186.fibertel.com.ar > cs: icmp
22:32:06.321782 IP 93-172-89-6.bb.netvision.net.il > cs: ICMP echo request, id 54275, seq 64492, length 1472
22:32:06.330989 IP 132.115.in-addr.arpa > cs: icmp
22:32:06.331251 IP 82.178.185.228 > cs: ICMP echo request, id 58372, seq 50843, length 1472
22:32:06.331261 IP 190.238.18.45 > cs: icmp
22:32:06.332930 IP pc-168-144-241-201.cm.vtr.net > cs: ICMP echo request, id 55302, seq 41888, length 1480
22:32:06.334095 IP dsl-189-186-140-126-dyn.prod-infinitum.com.mx > cs: icmp
22:32:06.337036 IP 186.214.40.204.static.host.gvt.net.br > cs: ICMP echo request, id 45003, seq 7855, length 1472
22:32:06.338053 IP 88.243.136.13 > cs: ICMP echo request, id 19458, seq 12739, length 1456
22:32:06.338063 IP dsl-189-173-66-12-dyn.prod-infinitum.com.mx > cs: icmp
22:32:06.339399 IP 190.34.55.4 > cs: icmp
22:32:06.340688 IP dsl-187-198-20-232-dyn.prod-infinitum.com.mx > cs: icmp
22:32:06.342362 IP 188.49.24.110 > cs: ICMP echo request, id 53484, seq 53499, length 1472
22:32:06.346936 IP 178.124.33.32.personalos-001 > cs.28888: UDP, length 25
22:32:06.346952 IP cs > 178.124.33.32: ICMP cs udp port 28888 unreachable, length 61
22:32:06.356437 IP na-201-156-28-202.static.avantel.net.mx > cs: icmp
22:32:06.362816 IP na-201-156-28-202.static.avantel.net.mx > cs: icmp
22:32:06.364662 IP 93-172-89-6.bb.netvision.net.il > cs: ICMP echo request, id 54275, seq 2285, length 1472
22:32:06.365494 IP 168.167.183.156 > cs: ICMP echo request, id 56764, seq 26593, length 1480
22:32:06.366469 IP 190.34.55.4 > cs: icmp
22:32:06.372559 IP 186.214.40.204.static.host.gvt.net.br > cs: ICMP echo request, id 45003, seq 23215, length 1472
22:32:06.373282 IP 188.49.24.110 > cs: ICMP echo request, id 53484, seq 11004, length 1472
22:32:06.390857 IP 246.212.48.60.jb01-home.tm.net.my > cs: ICMP echo request, id 26630, seq 25514, length 1472
22:32:06.392718 IP 190.34.55.4 > cs: icmp
22:32:06.393092 IP 190-92-50-116.reverse.cablecolor.hn > cs: icmp
22:32:06.396999 IP pc-168-144-241-201.cm.vtr.net > cs: icmp
22:32:06.397189 IP na-201-156-28-202.static.avantel.net.mx > cs: icmp
22:32:06.410078 IP dsl-189-173-66-12-dyn.prod-infinitum.com.mx > cs: icmp
22:32:06.411277 IP 137-65-136-186.fibertel.com.ar > cs: ICMP echo request, id 4429, seq 60350, length 1480
22:32:06.412996 IP 132.115.in-addr.arpa > cs: icmp
22:32:06.413356 IP 190.238.18.45 > cs: ICMP echo request, id 60418, seq 645, length 1472
22:32:06.417147 IP 94.99.58.171.dynamic.saudi.net.sa > cs: ICMP echo request, id 31755, seq 65373, length 1472
22:32:06.418412 IP dsl-187-171-170-202-dyn.prod-infinitum.com.mx > cs: ICMP echo request, id 62477, seq 34162, length 1472
22:32:06.419041 IP 46-117-197-81.bb.netvision.net.il > cs: ICMP echo request, id 26630, seq 56762, length 1480
22:32:06.419784 IP 190.34.55.4 > cs: icmp
22:32:06.419812 IP 88.243.136.13 > cs: ICMP echo request, id 19458, seq 20419, length 1456
22:32:06.420492 IP 73-126-27-72-br2-DYNAMIC-dsl.cwjamaica.com > cs: ICMP echo request, id 58556, seq 1175, length 1472
22:32:06.424912 IP 189-110-32-185.dsl.telesp.net.br > cs: icmp
22:32:06.431869 IP 189-209-116-28.static.axtel.net > cs: ICMP echo request, id 35849, seq 20853, length 1480
22:32:06.432111 IP 137-65-136-186.fibertel.com.ar > cs: ICMP echo request, id 4429, seq 959, length 1480
22:32:06.432120 IP 188-95-212-29.telset.ee.59045 > cs.13337: Flags [.], ack 17013, win 16175, length 0
22:32:06.433834 IP 73-126-27-72-br2-DYNAMIC-dsl.cwjamaica.com > cs: ICMP echo request, id 58556, seq 2455, length 1472
22:32:06.437331 IP 186.214.40.204.static.host.gvt.net.br > cs: ICMP echo request, id 45003, seq 43695, length 1472
22:32:06.439437 IP 189.50.123.126.g8.gna.cho.g8networks.com.br > cs: ICMP echo request, id 50179, seq 39563, length 1480
22:32:06.440112 IP dsl-189-186-140-126-dyn.prod-infinitum.com.mx > cs: ICMP echo request, id 24578, seq 46098, length 1472
22:32:06.446869 IP bb150387.virtua.com.br > cs: ICMP echo request, id 1030, seq 58716, length 1480
22:32:06.447607 IP 73-126-27-72-br2-DYNAMIC-dsl.cwjamaica.com > cs: ICMP echo request, id 58556, seq 3735, length 1472
22:32:06.448652 IP 94.99.58.171.dynamic.saudi.net.sa > cs: ICMP echo request, id 31755, seq 3678, length 1472
22:32:06.449632 IP 186.214.40.204.static.host.gvt.net.br > cs: icmp
22:32:06.452241 IP 190.42.192.69 > cs: ICMP echo request, id 38926, seq 42985, length 1472
22:32:06.457213 IP 190-92-50-116.reverse.cablecolor.hn > cs: icmp
22:32:06.458356 IP 19014232107.ip9.static.mediacommerce.com.co > cs: ICMP echo request, id 13318, seq 30717, length 1480
22:32:06.458524 IP 137-65-136-186.fibertel.com.ar > cs: icmp
22:32:06.458886 IP 19014232107.ip9.static.mediacommerce.com.co > cs: icmp
22:32:06.459934 IP 19014232107.ip9.static.mediacommerce.com.co > cs: icmp
22:32:06.460446 IP 19014232107.ip9.static.mediacommerce.com.co > cs: icmp
22:32:06.461233 IP 73-126-27-72-br2-DYNAMIC-dsl.cwjamaica.com > cs: icmp
22:32:06.461981 IP 186.214.40.204.static.host.gvt.net.br > cs: ICMP echo request, id 45003, seq 59055, length 1472
22:32:06.461991 IP dsl-189-173-66-12-dyn.prod-infinitum.com.mx > cs: icmp
22:32:06.462441 IP 46-117-197-81.bb.netvision.net.il > cs: ICMP echo request, id 26630, seq 59834, length 1480
22:32:06.462451 IP 186.214.40.204.static.host.gvt.net.br > cs: icmp

Open in new window


This log is from 200Kbit/sec attack, the maximum punch was about 800Mbit/sec.


--
Best regards
tanelAsked:
Who is Participating?
 
farzanjCommented:
TO make this permanent (persistent after reboot)

Edit /etc/sysctl.conf

And include the line

net.ipv4.icmp_echo_ignore_all=0

Second,

You can stop by IPTables.  You can either totally stop with IPtables or just limit it

Here is a reference for you
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
0
 
farzanjCommented:
Why don't you stop replying to pings.


echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all


This would ignore all the ICMP requests.
0
 
tanelAuthor Commented:
Thanks for your reply, actually the tcpduml log is made after that, as I have blocked all ping requests by iptables:

DROP       icmp --  anywhere             anywhere            icmp echo-request
/proc/sys/net/ipv4/icmp_echo_ignore_all 0 already

So, it's not enough as I see..

Current conf:
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable route verification on all interfaces
net.ipv4.conf.all.rp_filter = 1
# disable IPv6 completely
net.ipv6.conf.all.disable_ipv6 = 1
# enable IPv6 forwarding
#net.ipv6.conf.all.forwarding = 1
# increase the number of possible inotify(7) watches
fs.inotify.max_user_watches = 65536
# avoid deleting secondary IPs on deleting the primary IP
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.icmp_echo_ignore_all=0

Open in new window


Any more suggestions ?
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
farzanjCommented:
I am sorry, I think it should be

/proc/sys/net/ipv4/icmp_echo_ignore_all = 1

Because that would make it ignore all the icmp replies, even without IP tables.  Try it.
0
 
tanelAuthor Commented:
Ok.

During of such kind of attacks my data center is closing my IP forwarding it to the blackhole and says, there is no other solution...

And now I want to ask them to close all the icmp traffic to my server, will it solve the issue ?

I'm not well informed about datacentre's systems and would like to know what do You think about this?
0
 
farzanjCommented:
Well, your computer would not become the participant.  Normally they send huge ICMP packets, they fragment to smaller ones and your system responds to each one which creates a bigger problem, as your system becomes a participant unknowingly.  Furthermore, the return address is also set to someone else's address so you reply to some third network, making you an attacher.  But we are certainly not stopping their traffic.  However, hopefully the attacker would not get satisfaction since you quit participating in their game.
0
 
myramuCommented:
Hello Tanel,

In general all data centers use Firewall appliance to protect the servers. It is always better to  block at upstream so that your system can perform well.

Good Luck!
0
 
tanelAuthor Commented:
Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.