================================================================
This example incident report is void - for testing purposes only
================================================================

Delivered-To: cert@our_cert_team.dom
X-Sender: cert@192.168.0.1
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58
Date: Tue, 18 Sep 2001 13:10:35 +0100
To: cert@our_cert_team.dom
From: our_contact@a_site.dom
Subject: ICMP dos traffic



ICMP Offenders for Sunday 16th

Traffic indicates ICMP flows to the states (probable DoS)

In alphabetical order......

Site 1
To US 7035.45  0.00  0.00  0.00  0.00  0.00  0.00
ICMP  0.00% / 100.00%
== 7,035.45 Mb of ICMP

Site 2
To US 7036.75  0.00  0.00  0.00  0.00  0.00  0.00
ICMP  0.82% / 100.00%
== 7,036.75 Mb of ICMP

Site 3
To US 19016.32  69.48  15.62  1.67  0.32  0.10  6.06
ICMP  0.16% / 6.74%
== 1,281.7 Mb of ICMP

Site 4
To US 25074.37  82.02  1.65  1.92  0.23  0.29  9.62
ICMP  3.13% / 4.18%
== 1,048.11 Mb of ICMP

Site 5
To US 10833.32  0.00  0.00  0.00  0.00  0.00  0.00
ICMP  0.16% / 100.00%
== 10,833.32 Mb of ICMP

Site 6
To US 6910.15  0.00  0.00  0.00  0.43  0.00  0.00
ICMP  0.37% / 99.57%
== 6,880.44 Mb of ICMP

I have only shown sites that have transmitted over 1Gb (and yes,
Site 5 exceeded the 10 Gb mark). This is getting beyond a joke and
is _significantly_ increasing the risk of reprisal attacks against
us. I have sent some messages regarding icmp around the mail list in the
recent past but it, obviously, has little long term effect. I guess
we need to notify these sites in the short term but we do need a low
maintenance, long term solution. If all else fails we could "name and
shame" all that exceed a certain boundary each day via our mailing list? All of
the information is publicly available so we would not be displaying
information that is restricted in any way, we would just display it
in a different format!!!

Any thoughts welcome!

Regards

Anon