This evening I need to change some NAT rules on my home router and before applying the setting I take a look on the log and got surprise with a bunch of DoS, SYN flood and Ping Flood captured into my log router. Apparently I forgot to turn off the icmp service on this one, but what the heck!, this is a very well known kind of attack since the day I was young, Disable ICMP on a router should be the default setting from the factory as a best practice. Pity it normally isn’t.
Ping Flooding and SYN Flooding are a common type of attack dedicated to webservers and can be categorize as a DoS (Denial of Service) attack, that some say also as DDoS (Distributed Denial Of Service). The difference is the DoS revert to single machine and DDoS can be multiple machine doing the same kind of attack which basically sending large and continuous ICMP (Internet control message protocol) echo packets to a target host and wait for the icmp reply message. Now what this does is, it floods the target host with large data segments and if ICMP service is not disabled by the target host then it will send the ICMP echo reply message (that’s what an attacker wants to accomplish). Some hacker also call this smurfing.
Syn Flooding attack is conducted by utilizing current loophole in the TCP / IP when connections are made at the very first time, rather utilize a three-way handsake on TCP / IP. The attacker sends SYN packets to the ports that are in a state of “Listening” in the target host. SYN packet is modified in such a way as to be invalid in its delivery. when the package is delivered too much there will be a handshake of the package in the buffer at the operating system, and this will lead to hang on a server or will not receive access to users in the network services.
There are many reference on the net about this kind of attack including this basic or this and the wiki, and if you interested how to counterpart this … well the cure is very simple and easy. All you have to do is disable the icmp service for the wan interface of your modem/router. Now what this will do is, it will silently ignore the icmp echo request.
Open the admin page of your home router, and try to find the Access Control Settings and disable the icmp service. Here is mine on DLink the stock adsl router from speedy telkom :
