Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Oct 2003 17:17:38 +0800
From:      "Francis A. Vidal" <francisv-sender-21ebc3@irc.dagupan.com>
To:        <freebsd-security@freebsd.org>
Subject:   RE: Best way to filter "Nachi pings"?
Message-ID:  <1067246270.68413.TMDA@irc.dagupan.com>
In-Reply-To: <20031027110203.B96390@trillian.santala.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Unfortunately, the Nachi worm uses ICMP echo to probe potential targets. If
you have a Cisco box, you can match the ICMP message generated by Nachi by
it's size and type and do some fancy stuff with it.

-----Original Message-----
From: Jarkko Santala [mailto:jake@iki.fi]=20
Sent: Monday, October 27, 2003 5:07 PM
To: Kris Kennaway
Cc: security@freebsd.org
Subject: Re: Best way to filter "Nachi pings"?

On Mon, 27 Oct 2003, Kris Kennaway wrote:

> On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote:
> > We're being ping-flooded by the Nachi worm, which probes subnets for
> > systems to attack by sending 92-byte ping packets. Unfortunately,
> > IPFW doesn't seem to have the ability to filter packets by length.
> > Assuming that I stick with IPFW, what's the best way to stem the
> > tide?
>
> Block all ping packets?  Most security-conscious admins do this

D'oh? I like ping very much and it would make me very sad indeed if I
couldn't ping my boxes to solve possible network problems along the way. I
fail to see the security problem and possible DoS issues could be solved
by using limiting of sort.

Definitely this block-all approach is not sane, its like if someone
complains about NFS being broken you'd say disable it. Filtering packets
by length on the other hand is a very nice feature to have.

	-jake

--=20
Jarkko Santala <jake(=E4t)iki.fi>  System Administrator  http://iki.fi/jake/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1067246270.68413.TMDA>