Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : ICMP ping attack

[kayz]

Hi guys we are receiving an ICMP ping attack to our dedicated box which hosts a gameserver and a website, the OS is a windows 2003 server.

We are receiving packets of data from several ip addresses i believe which point to several places and it slows down the server and almost rendering it to lag and ultimately stop.

Here is an example from the log, the asterix's (**.***.***.***) are there to protect my servers ip address:

2010-09-28 00:19:02 DROP ICMP **.***.***.*** 173.192.220.103 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 89.32.44.100 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 195.246.8.120 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 195.246.8.120 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 78.46.102.86 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 85.13.135.209 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 78.46.103.46 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 173.192.220.103 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 195.246.8.120 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 94.249.143.6 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 195.246.8.120 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 173.192.220.103 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 173.192.220.103 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 173.192.220.103 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 173.192.220.103 - - 56 - - - - 11 1 - SEND
2010-09-28 00:19:02 DROP ICMP **.***.***.*** 195.246.8.120 - - 56 - - - - 11 1 - SEND


Any help and advice would be much appreciated.

Cheers

[Lightwave]

Dropping ICMP or UDP via a host firewall will only help half the problem.

If the flood is saturating your inbound... then any firewall settings you make are somewhat pointless.

Contact your upstream and tell them you need ICMP filtered at the router for the time being.

[FastServ]

Dropping ICMP at the server itself (linux/windows firewall) should eliminate any load caused by the traffic. Of course if it's saturating your network connection only your host can help you. Dropping the traffic upstream would be trivial for them if your host wants to help.

[mugo]

You may also want to make sure your provider has directed-broadcast ICMP echo off on the edge network equipment. That cuts out ping broadcast attacks (like smurfs, etc.).
They may be attacking you directly, but may also be hitting everyone on your subnet (at least). If there are a lot of hosts on your network, it can saturate bw very quickly.

[Hillockhosting]

use csf firewall or block ping via iptables

[kayz]

Thanks guys for your input, i will look into this.

We have two servers, both on windows 2003 server. Only one of the servers are being attacked as its our most busiest server. We dont have an external firewall/router the dedicated boxes are connected directly to the internet i believe. To have an external firewall installed we need to pay for 1 colo which we may consider if all other option fails.

Secondly, correct me if im wrong. In order to carry out ICMP attacks you need to have more power (Bandwidth) than the people you are executing it on - right? (This is what i have read upon.)

We have some rouge competitors trying to kill us off and taking everything for them themselves very selfishly. We know who is doing it but we can put a finger on them directly as they go on to make malicious indirect comments on chat/forums among other users etc

Funnily they are also in the same data centre as us, what can we do? This is with Rapid Switch, UK. Surely these people are breaking RS ToS and i dont think we cant report it without sufficient evidence but this is the case.

Any further help to pursue this would be apprecaited.

Cheers

[Coolraul]

Be sure it's a competitor before going down that road but for now, turn on the network monitor tool in windows server and capture the traffic to preserve for the future. If they are truly within the DC I am sure the DC would love to see that capture.