Date: Mon, 27 Oct 2003 09:34:37 -0000 From: Kris Kennaway <kris@obsecurity.org> To: Jarkko Santala <jake@iki.fi> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: Best way to filter "Nachi pings"? Message-ID: <20031027093435.GA6111@rot13.obsecurity.org> In-Reply-To: <20031027110203.B96390@trillian.santala.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote: > On Mon, 27 Oct 2003, Kris Kennaway wrote: >=20 > > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > > We're being ping-flooded by the Nachi worm, which probes subnets for > > > systems to attack by sending 92-byte ping packets. Unfortunately, > > > IPFW doesn't seem to have the ability to filter packets by length. > > > Assuming that I stick with IPFW, what's the best way to stem the > > > tide? > > > > Block all ping packets? Most security-conscious admins do this >=20 > D'oh? I like ping very much and it would make me very sad indeed if I > couldn't ping my boxes to solve possible network problems along the way. I > fail to see the security problem and possible DoS issues could be solved > by using limiting of sort. The security and DoS concerns are really kind of obvious. No-one has a gun to your head though, so I fail to see why you're complaining that someone else might do this on their own network. > Definitely this block-all approach is not sane, its like if someone > complains about NFS being broken you'd say disable it. Filtering packets > by length on the other hand is a very nice feature to have. As it happens, ipfw[2] does this anyway. Kris --1yeeQ81UyVL57Vl7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/nOaqWry0BWjoQKURArhbAJ9dQgwTmZE5jALrbWKwLZrHzy3gYQCfUUww lFaiqUBTj+kcAPbtGFBlxyw= =95JV -----END PGP SIGNATURE----- --1yeeQ81UyVL57Vl7--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027093435.GA6111>