From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 00:57:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 780AB16A4B3 for ; Mon, 27 Oct 2003 00:57:49 -0800 (PST) Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADF5F43FBF for ; Mon, 27 Oct 2003 00:57:48 -0800 (PST) (envelope-from gsutter@zer0.org) Received: by mail1.zer0.org (Postfix, from userid 1001) id 688D9239A0B; Mon, 27 Oct 2003 00:57:46 -0800 (PST) Date: Mon, 27 Oct 2003 00:57:46 -0800 From: Gregory Sutter To: Brett Glass Message-ID: <20031027085746.GD98272@klapaucius.zer0.org> References: <200310270731.AAA23485@lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Qrgsu6vtpU/OV/zm" Content-Disposition: inline In-Reply-To: <200310270731.AAA23485@lariat.org> Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-PGP-Fingerprint: D161 E4EA 4BFA 2427 F3F9 5B1F 2015 31D5 845D FEDD X-PGP-Key: http://zer0.org/~gsutter/gsutter.pgp X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 08:57:49 -0000 --Qrgsu6vtpU/OV/zm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003-10-27 00:31 -0700, Brett Glass wrote: > We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide? You could filter by icmptype, with the result that no ICMP ECHO packets would transit your firewall (i.e. ping stops working). Here is what I use on one of my hosts. Comments welcome. # icmp # echo reply, dest unreach, redirect, echo request, ttl exceeded $fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,= 11 # echo reply, dest unreach, echo request, ttl exceeded $fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11 (The remainder are denied by default.) Greg --=20 Gregory S. Sutter It is no measure of health to be mailto:gsutter@zer0.org well adjusted to a profoundly http://zer0.org/~gsutter/ sick society. --Krishamurti --Qrgsu6vtpU/OV/zm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQE/nN4KIBUx1YRd/t0RArTFAJ9nwq3BBIkx424hG8TlHFK03B9iSwCfbLWI 8ZoLfiUn38BtvGkTRVH8GvE= =cf8d -----END PGP SIGNATURE----- --Qrgsu6vtpU/OV/zm--