From owner-freebsd-chat Tue May 4 15:49: 2 1999 Delivered-To: freebsd-chat@freebsd.org Received: from bytor.rush.net (bytor.rush.net [209.45.245.145]) by hub.freebsd.org (Postfix) with ESMTP id 2132E14E6C for ; Tue, 4 May 1999 15:48:52 -0700 (PDT) (envelope-from lynch@rush.net) Received: from localhost (lynch@localhost) by bytor.rush.net (8.9.3/8.9.3) with ESMTP id SAA17311; Tue, 4 May 1999 18:48:32 -0400 (EDT) Date: Tue, 4 May 1999 18:48:32 -0400 (EDT) From: Pat Lynch To: Doug White Cc: Fadi Sodah , freebsd-chat@FreeBSD.ORG Subject: Re: ICMP-attack In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org moving to -chat just 'cuz On Tue, 4 May 1999, Doug White wrote: > On Mon, 3 May 1999, Pat Lynch wrote: > > > DOug, that actually won't work, the only way to make smurfs useless is to > > get enough bandwidth to handle the attack, or have your upstream filter > > for you, the only thing thios solves is DoS on the local net, but any > > communication in or out the gateway is still going to be impossible. > > Er? If you filter ICMP at your router, the pings (or whatever) can't > reach their intended target. > > If you want to completely foil smurfs on your FreeBSD boxen, set sysctl > net.inet.icmp.bmcastecho=0. > yes, but the point of a smurf attack to is saturate a network or cripple a router, unfortunately more times than not, smurf attacks cripple routers(especially ones filtering those icmps), having dealt with smurfs more than most, I've seen it happen many a time. and yes you can avoid being a "smurf amplifier" by not responding to braodcast pings. blocking icmp at the host level is still not going to help at all > > Now if you do this for icmp going out, it will keep people from launching > > attacks from your network *but* ICMP is a useful protocol, as I found out > > when I blocked icmp, some routers need to tell machines to send smaller > > packets , and will send messages to that effect using ICMP, if you are > > running a website, this is especially true. > > Yeah, it break MTU Discovery and other actually useful bits. The rule > could be more detailed. > true, I found out to my chagrin that MTU discovery didn;t work and was causing problems when I blocked all icmp. Most people miss the point of icmp, its not just for ping or traceroute. > Doug White > Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve > http://gladstone.uoregon.edu/~dwhite | www.freebsd.org > ___________________________________________________________________________ Pat Lynch lynch@rush.net Systems Administrator Rush Networking "Wow, everyone looks different in Real Life (tm)"- Nathan Dorfman meeting people at FUNY "Suicide is painless, switching to NT isn't."- Unknown ___________________________________________________________________________ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message