Date: Mon, 27 Oct 2003 17:17:38 +0800 From: "Francis A. Vidal" <francisv-sender-21ebc3@irc.dagupan.com> To: <freebsd-security@freebsd.org> Subject: RE: Best way to filter "Nachi pings"? Message-ID: <1067246270.68413.TMDA@irc.dagupan.com> In-Reply-To: <20031027110203.B96390@trillian.santala.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Unfortunately, the Nachi worm uses ICMP echo to probe potential targets. If you have a Cisco box, you can match the ICMP message generated by Nachi by it's size and type and do some fancy stuff with it. -----Original Message----- From: Jarkko Santala [mailto:jake@iki.fi]=20 Sent: Monday, October 27, 2003 5:07 PM To: Kris Kennaway Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? On Mon, 27 Oct 2003, Kris Kennaway wrote: > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > We're being ping-flooded by the Nachi worm, which probes subnets for > > systems to attack by sending 92-byte ping packets. Unfortunately, > > IPFW doesn't seem to have the ability to filter packets by length. > > Assuming that I stick with IPFW, what's the best way to stem the > > tide? > > Block all ping packets? Most security-conscious admins do this D'oh? I like ping very much and it would make me very sad indeed if I couldn't ping my boxes to solve possible network problems along the way. I fail to see the security problem and possible DoS issues could be solved by using limiting of sort. Definitely this block-all approach is not sane, its like if someone complains about NFS being broken you'd say disable it. Filtering packets by length on the other hand is a very nice feature to have. -jake --=20 Jarkko Santala <jake(=E4t)iki.fi> System Administrator http://iki.fi/jake/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1067246270.68413.TMDA>