Date: Tue, 26 Mar 2002 13:46:45 -0800 From: Benjamin Krueger <benjamin@macguire.net> To: jogegabsd <jogegabsd@yahoo.com> Cc: nl3481@wi.rr.com, Justin L Boss <jlboss@yahoo.com>, freebsd-questions@FreeBSD.ORG Subject: Re: Security! Message-ID: <20020326134645.A6729@rain.macguire.net> In-Reply-To: <PJEDLKMCAOJCKEBNIJNOCEIECDAA.jogegabsd@yahoo.com>; from jogegabsd@yahoo.com on Tue, Mar 26, 2002 at 03:11:46PM -0600 References: <3CA0A724.AB91AC55@wi.rr.com> <PJEDLKMCAOJCKEBNIJNOCEIECDAA.jogegabsd@yahoo.com>
index | next in thread | previous in thread | raw e-mail
* jogegabsd (jogegabsd@yahoo.com) [020326 13:11]: > I think they refer that you should be careful with a flood of ping messages > and get a DoS, take a look at this links. > > http://www.networkice.com/Advice/Underground/Exploitz/Floods/Ping_Flood/defa > ult.htm > > http://www.cert.org/advisories/CA-1998-01.html > > You can recieve a really large amount of ICMP echo request packets to the > point you > have to many, which means, DoS. > > I really don't remember specific names right now, but there are a lot of > companies > that denied ICMP packets from the outside, in order to fix this. > Actually it is a security policy in most systems. > > Don't worry that you can not see if your site is reachable or not. there are > several > tools (e. g. nmap) that makes a diferent kind of analysis(SYN) to see if > your network is reachable. > > you can keep the ICMP packet traffic from the inside. > > Hope this helps > > Gerardo Amaya Argh! I constantly see folks recommending the blocking of all ICMP packets for "security". This is a bad idea folks. Here's why. ICMP exists for a good reason. It is one of the control mechanisms for IP. Even the name is a testiment to that fact; Internet Control Message Protocol. Since IP is not a reliable protocol, ICMP is used to relay messages between hosts and networks when things go wrong. These range from "Network Unreachable" and "Port Unreachable" to "Slow down, you're sending too fast". When you blindly cut off all ICMP messages, you effectively cripple the IP protocol, and your network will suffer for it. Having said that, there are some types of ICMP packets which can be blocked without any negative impact on your network. I suggest researching IP/ICMP and the functions of the different ICMP types before being so rash as to block all ICMP at your border. http://www.rware.demon.co.uk/icmp.htm ftp://ftp.isi.edu/in-notes/rfc791.txt ftp://ftp.isi.edu/in-notes/rfc792.txt Just as an aside, blocking ICMP will not cure any DoS situation short of cutting it off at your upstream provider before it enters your internet connection. Your firewall may deny the packets, but they're still eating your network connection bandwidth, and spinning cycles on your router. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020326134645.A6729>