From owner-freebsd-questions Tue Mar 26 16:20:43 2002 Delivered-To: freebsd-questions@freebsd.org Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by hub.freebsd.org (Postfix) with ESMTP id 714BC37B400 for ; Tue, 26 Mar 2002 16:20:33 -0800 (PST) Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108]) by cactus.fi.uba.ar (8.11.6/8.11.6) with ESMTP id g2R0KP629394; Tue, 26 Mar 2002 21:20:26 -0300 (ART) (envelope-from fgleiser@cactus.fi.uba.ar) Date: Tue, 26 Mar 2002 21:20:25 -0300 (ART) From: Fernando Gleiser To: jogegabsd Cc: , Subject: RE: Security! In-Reply-To: Message-ID: <20020326210155.I87698-100000@cactus.fi.uba.ar> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Please, don't top-post. Top-posting is bad, mmmkay? On Tue, 26 Mar 2002, jogegabsd wrote: > I think they refer that you should be careful with a flood of ping messages > and get a DoS, take a look at this links. This is not the original poster's problem. He said a tool reported as a security problem the fact that his server responds to an ICMP packet. > > http://www.networkice.com/Advice/Underground/Exploitz/Floods/Ping_Flood/defa > ult.htm > > http://www.cert.org/advisories/CA-1998-01.html > > You can recieve a really large amount of ICMP echo request packets to the > point you > have to many, which means, DoS. Yes, but if you are flooded, there's nothing you can do because the resources are already exausted. You can call your ISP to block the offending packets on their side of the link, and pray they know how to handle that type of incidents. No amount of blocking on *your* side of the link will give you your bandwidth back. Even if you block the "pongs" in your firewall, your link to the Internet if full of garbage and unusable. What you can do in your firewall is block ICMP destined to your local *broadcast* address so you can not be used as a "smurf amplifier". You can block some ICMP at your firewall but don't block all of it. ICMP is an integral part of the TCP/IP suite, and blocking all of it will break things. ICMP can be used to gain valuable info about a target network and is recomended to block any ICMP you dont need (who needs to reply to a netmask request), but it not the only way to map a network, and sometimes even if your firewall is properly configured, your upstream router would leak some valuabe info about your network. Fer > > I really don't remember specific names right now, but there are a lot of > companies > that denied ICMP packets from the outside, in order to fix this. > Actually it is a security policy in most systems. > > Don't worry that you can not see if your site is reachable or not. there are > several > tools (e. g. nmap) that makes a diferent kind of analysis(SYN) to see if > your network is reachable. > > you can keep the ICMP packet traffic from the inside. > > Hope this helps > > Gerardo Amaya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message