next up previous
Next: TCP Up: Filtering out reflector replies Previous: IP packets

ICMP

There are two different ways to elicit ICMP reflector replies: using ICMP protocols designed as request/response (such as ICMP echo), or sending traffic that will generate an ICMP message because of some problem associated with the traffic [Po81b].

In the first category are the ping ICMPs (echo, timestamp, address mask, router solicitation, information request/reply). Of these, only the first is widely used, and presumably the victim can get by with little difficulty if replies to all of these are filtered out. (We note, though, that smurf attacks, in which the attacker sends ICMP echo requests to subnet broadcast addresses, are essentially a form of reflector DDOS attack.)

In the second category (unreachable, source quench, redirect, time exceeded, parameter problem), the most significant for the victim will be the unreachables, which include host unreachable (useful for tearing down state in some circumstance) and need fragmentation (necessary for PMTU discovery), and time exceeded (needed to run traceroute). It appears plausible that the victim would be willing to forgo these as a means to suppress a flooding attack.

Summary: reflectors generating ICMP messages can likely be filtered out.


next up previous
Next: TCP Up: Filtering out reflector replies Previous: IP packets
Vern Paxson
2001-06-26