Date: Mon, 27 Oct 2003 00:57:46 -0800 From: Gregory Sutter <gsutter@zer0.org> To: Brett Glass <brett@lariat.org> Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? Message-ID: <20031027085746.GD98272@klapaucius.zer0.org> In-Reply-To: <200310270731.AAA23485@lariat.org> References: <200310270731.AAA23485@lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Qrgsu6vtpU/OV/zm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003-10-27 00:31 -0700, Brett Glass <brett@lariat.org> wrote: > We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide? You could filter by icmptype, with the result that no ICMP ECHO packets would transit your firewall (i.e. ping stops working). Here is what I use on one of my hosts. Comments welcome. # icmp # echo reply, dest unreach, redirect, echo request, ttl exceeded $fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,= 11 # echo reply, dest unreach, echo request, ttl exceeded $fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11 (The remainder are denied by default.) Greg --=20 Gregory S. Sutter It is no measure of health to be mailto:gsutter@zer0.org well adjusted to a profoundly http://zer0.org/~gsutter/ sick society. --Krishamurti --Qrgsu6vtpU/OV/zm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQE/nN4KIBUx1YRd/t0RArTFAJ9nwq3BBIkx424hG8TlHFK03B9iSwCfbLWI 8ZoLfiUn38BtvGkTRVH8GvE= =cf8d -----END PGP SIGNATURE----- --Qrgsu6vtpU/OV/zm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027085746.GD98272>