Date: Tue, 26 Mar 2002 21:20:25 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: jogegabsd <jogegabsd@yahoo.com> Cc: <nl3481@wi.rr.com>, <freebsd-questions@FreeBSD.ORG> Subject: RE: Security! Message-ID: <20020326210155.I87698-100000@cactus.fi.uba.ar> In-Reply-To: <PJEDLKMCAOJCKEBNIJNOCEIECDAA.jogegabsd@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Please, don't top-post. Top-posting is bad, mmmkay? On Tue, 26 Mar 2002, jogegabsd wrote: > I think they refer that you should be careful with a flood of ping messages > and get a DoS, take a look at this links. This is not the original poster's problem. He said a tool reported as a security problem the fact that his server responds to an ICMP packet. > > http://www.networkice.com/Advice/Underground/Exploitz/Floods/Ping_Flood/defa > ult.htm > > http://www.cert.org/advisories/CA-1998-01.html > > You can recieve a really large amount of ICMP echo request packets to the > point you > have to many, which means, DoS. Yes, but if you are flooded, there's nothing you can do because the resources are already exausted. You can call your ISP to block the offending packets on their side of the link, and pray they know how to handle that type of incidents. No amount of blocking on *your* side of the link will give you your bandwidth back. Even if you block the "pongs" in your firewall, your link to the Internet if full of garbage and unusable. What you can do in your firewall is block ICMP destined to your local *broadcast* address so you can not be used as a "smurf amplifier". You can block some ICMP at your firewall but don't block all of it. ICMP is an integral part of the TCP/IP suite, and blocking all of it will break things. ICMP can be used to gain valuable info about a target network and is recomended to block any ICMP you dont need (who needs to reply to a netmask request), but it not the only way to map a network, and sometimes even if your firewall is properly configured, your upstream router would leak some valuabe info about your network. Fer > > I really don't remember specific names right now, but there are a lot of > companies > that denied ICMP packets from the outside, in order to fix this. > Actually it is a security policy in most systems. > > Don't worry that you can not see if your site is reachable or not. there are > several > tools (e. g. nmap) that makes a diferent kind of analysis(SYN) to see if > your network is reachable. > > you can keep the ICMP packet traffic from the inside. > > Hope this helps > > Gerardo Amaya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020326210155.I87698-100000>