From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 01:17:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 379B216A4B3 for ; Mon, 27 Oct 2003 01:17:54 -0800 (PST) Received: from irc.dagupan.com (irc.dagupan.com [202.91.161.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F16743FAF for ; Mon, 27 Oct 2003 01:17:53 -0800 (PST) (envelope-from francisv-sender-21ebc3@irc.dagupan.com) Received: by irc.dagupan.com (Postfix, from userid 1022) id B70991DEADB; Mon, 27 Oct 2003 17:17:51 +0800 (PHT) Received: from irc.dagupan.com (localhost [127.0.0.1]) by irc.dagupan.com (Postfix) with ESMTP id 9FE691DE915 for ; Mon, 27 Oct 2003 17:17:50 +0800 (PHT) Received: from hopper (hopper.dagupan.com [202.91.161.143]) by irc.dagupan.com (tmda-ofmipd) with ESMTP; Mon, 27 Oct 2003 17:17:49 +0800 (PHT) To: Date: Mon, 27 Oct 2003 17:17:38 +0800 X-Mailer: Microsoft Office Outlook, Build 11.0.5329 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOcadnZSFs8coh7Suu0wps2UOgJZgAAQgfQ In-Reply-To: <20031027110203.B96390@trillian.santala.org> From: "Francis A. Vidal" Message-ID: <1067246270.68413.TMDA@irc.dagupan.com> X-Delivery-Agent: TMDA/0.80 (Determine) X-Spam-Status: No, hits=0.1 required=5.5 tests=AWL,BAYES_20,EMAIL_ATTRIBUTION,FORGED_MUA_OUTLOOK, FROM_HAS_MIXED_NUMS,IN_REP_TO,MISSING_OUTLOOK_NAME, QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) X-Sanitizer: Secured by Bitstop Network Services MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Francis A. Vidal" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 09:17:54 -0000 Unfortunately, the Nachi worm uses ICMP echo to probe potential targets. If you have a Cisco box, you can match the ICMP message generated by Nachi by it's size and type and do some fancy stuff with it. -----Original Message----- From: Jarkko Santala [mailto:jake@iki.fi]=20 Sent: Monday, October 27, 2003 5:07 PM To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? On Mon, 27 Oct 2003, Kris Kennaway wrote: > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > We're being ping-flooded by the Nachi worm, which probes subnets for > > systems to attack by sending 92-byte ping packets. Unfortunately, > > IPFW doesn't seem to have the ability to filter packets by length. > > Assuming that I stick with IPFW, what's the best way to stem the > > tide? > > Block all ping packets? Most security-conscious admins do this D'oh? I like ping very much and it would make me very sad indeed if I couldn't ping my boxes to solve possible network problems along the way. I fail to see the security problem and possible DoS issues could be solved by using limiting of sort. Definitely this block-all approach is not sane, its like if someone complains about NFS being broken you'd say disable it. Filtering packets by length on the other hand is a very nice feature to have. -jake --=20 Jarkko Santala System Administrator http://iki.fi/jake/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"