Look at this: http://www.h2hosting.com/t.php?interface=eth0

We set echo "1" > icmp_echo_ignore_all,
but incoming ICMP packets still target our host

20:44:22.590000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:22.610000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:22.750000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:22.820000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:22.820000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:22.980000 hnllhi1-ar1-4-63-132-102.hnllhi1.vz.dsl.gtei.net > 1309417189.vosn.net: icmp: echo request
20:44:22.990000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:22.990000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.000000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.090000 hnllhi1-ar1-4-63-132-102.hnllhi1.vz.dsl.gtei.net > 1309417189.vosn.net: icmp: echo request
20:44:23.090000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.100000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.410000 hnllhi1-ar1-4-63-132-102.hnllhi1.vz.dsl.gtei.net > 1309417189.vosn.net: icmp: echo request
20:44:23.410000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.420000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.440000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.440000 hnllhi1-ar1-4-63-132-102.hnllhi1.vz.dsl.gtei.net > 1309417189.vosn.net: icmp: echo request
20:44:23.450000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.460000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.480000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.480000 hnllhi1-ar1-4-63-132-102.hnllhi1.vz.dsl.gtei.net > 1309417189.vosn.net: icmp: echo request
20:44:23.490000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.500000 carcass.ne.client2.attbi.com > 1309417189.vosn.net: icmp: echo request
20:44:23.510000 hnllhi1-ar1-4-63-132-102.hnllhi1.vz.dsl.gtei.net > 1309417189.vosn.net: icmp: echo request


QUESTION: HOW to block them?

its been discussed before whether or not to block all icmp or not. personally, i block all icmp,.. and i frankly enjoy seeing users try to ping the server over and over again thinking its going to magically appear : ). but to answer your question, im assuming your using a *nix server. depending on distro, use ipchains/tables or ipf or ipfw.

I think, that iptables/ipchains can't help as i tried to block IPs
without results. They are sending packets and it is impossible to
block them after/before router :(

For example, i did this:
/sbin/iptables -A INPUT -p icmp -s carcass.ne.client2.attbi.com --icmp-type echo-request -j DROP

but no luck

Originally posted by H2
I think, that iptables/ipchains can't help as i tried to block IPs
without results. They are sending packets and it is impossible to
block them after/before router :(

For example, i did this:
/sbin/iptables -A INPUT -p icmp -s carcass.ne.client2.attbi.com --icmp-type echo-request -j DROP

but no luck

You should really specify an IP address and an interface.

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -s 24.60.78.16/32 -d 0/0 -j DROP

What was that dump? Was it tcpdump? It's still going to show the packets even if it's denying them. You should really do a tcpdump -n to use IP addresses instead of names.

If it's not actually denying them, then that host name was probably spoofed. Another reason why you should use tcpdump -n.

Also, they could have just been spoofing their IP address too, so they could just simply change the "source IP address" in which case you might just want to block all icmp requests for awhile, if not permanently:

iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -s 0/0 -d 0/0 -j DROP

Of course this is a late reply to your problem. But maybe it will help next time. Or help someone else.

bitserve,

Thank you. Yes, i have an entry
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -s MF**IP_Address -d 0/0 -j DROP

Anyway, i wrote emails to providers and now eberything is ok. Next time i'll be ready to this :)

Personally, i think that we cant stop "echo requests", we can only not send reply back.

If your providers are willing to do it, you are better off blocking ICMP traffic at the router level, rather than at the server level.

if you dont mind me asking, what program are you using to generate those traffic stats?

I'm currently using mrtg but the one you use looks nice.. :)

btw. as the previous guy said, if you are getting DOSed.. blocking at the server level aint going to do much, you'll have to get yer ISP to setup filters on their routers.

Originally posted by H2

We set echo "1" > icmp_echo_ignore_all,
but incoming ICMP packets still target our host


icmp_echo_ignore_all only prevents your machine from responding to ICMP echo. But the ICMP echo can still reach your machine, and definitely won't stop flooding your bandwidth.

priyadi,

I know. I had filters in iptables, but it can't block incoming icmp traffic. I'll be billed for this traffic as it goes through the router :)

if you dont mind me asking, what program are you using to generate those traffic stats?

Bacid,

You can find it at http://www.can-host.com/php/tfx.html
:)