Incoming DDoS Attack, It Looks Like An ICMP Attack, So What Do I block?

Question

I recently have been getting hit by an attack that is very small around 70MBPS but causes TONS of upload...All signs point to ICMP. I realized in my firewall I have CSF firewall running on CentOS, that I had no limit on my outgoing ICMP rate...Woops. :P

Anything else I should block? We are primarily game servers so obviously blocking all incoming ICMP traffic is a no no. Or is it? That's why I'm here :D

Thanks for any tips,

Jeremy

**Also quick edit, we are on a 100MBPS port and the current firewall is able to block generic DDoS attacks excess of 600MB without breaking a sweat.

Answer 1

Blocking all ICMP is definitely not a no-no, so I would go for that, at least as a temporary fix if some customers/gamers complain that they cannot ping your servers.

It is also not good to block ICMP if you use ping for server monitoring - but I guess you already know that ;-)

Answer 2

Sounds like a reflection/amplification attack if you're seeing a lot of traffic going out. Unfortunately you can't do much about the 70mbit that's hitting your firewall but you can try to minimize how much traffic is leaving your network. I haven't seen ICMP used for this for a while. It's normally DNS.

But I would rate limit ICMP if you're finding that it's being abused. Also these sort of attacks normally appear to come from a single ip or netblock. These are spoofed so that the reply floods their target. You can block these ip addresses and netblocks pretty easily.

I would also double check that you're not seeing something using DNS as it seems to be the most abused system for these type of attacks. Verify that you don't allow DNS Queries from your WAN to hit your local recursive DNS server.

Once you have your outbound traffic under control if it continues to be a problem you can work with your ISP to try to block the abusing traffic.

Answer 3

iptables -t filter -I INPUT -i interface -p icmp --icmp-type any -m limit --limit 1/s -j ACCEPT

iptables -t filter -I OUTPUT -p icmp --icmp-type any -m limit --limit 1/s -j ACCEPT

this will limit any type of icmp incoming and outgoing request to 1/s,or you can specify echo request only by specifying "8" or "echo"

Definitely it can not block attacks but can certainly minimize incoming and outgoing request.

Answer 4

ICMP shouldn't cause amplification unless you allow and respond to request on broadcast addresses. DNS amplification is possible and would likely be a DDOS attack on another site. You may be able to filter out those addresses.

Try shutting down your DNS server to see if it resolves the output issue. If so there are a number of steps you can take:

• Disable recursive queries from the Internet. (This requires split DNS of some sort.)
• If your firewall or DNS support it, rate limit queries by IP or netblock.
• Log queries (by limit log space). At this rates disk space could get used up quickly.

If not you will need to determine the type of traffic. There are a number of things you can do:

• Monitor match counters on firewall rules.
• Capture all header for a second or two and analyze the capture.
• Run a program like ntop to generate a report of traffic.
• Look for rapidly growing access logs.

Rate limiting connections or blocking the sending addresses should help resolve the issue. You may need help from your provider if volume is too high for your connection.

Answer 5

We use Cisco hardware firewalls but we block everything (including ICMP, literally everything) and then only allow specific IPs and ports. This is obviously more effort to ensure things work properly but it also definitely lets me sleep well an night.