From owner-freebsd-questions Sun Apr 13 13:21:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id NAA22128 for questions-outgoing; Sun, 13 Apr 1997 13:21:15 -0700 (PDT) Received: from mail.warp.co.uk (root@mail.warp.co.uk [194.207.68.4]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id NAA22096 for ; Sun, 13 Apr 1997 13:21:03 -0700 (PDT) Received: from ian-laptop (ppp1.warp.co.uk [194.207.69.30]) by mail.warp.co.uk with SMTP id VAA09455; Sun, 13 Apr 1997 21:20:49 GMT Message-Id: <3.0.1.32.19970413211535.006b4954@mail.warp.co.uk> X-Sender: tony@mail.warp.co.uk X-Mailer: Windows Eudora Light Version 3.0.1 (32) Date: Sun, 13 Apr 1997 21:15:35 +0100 To: Adrian Chadd , Anthony Barlow From: Anthony Barlow Subject: Re: Firewalling large ICMP packets.. Cc: freebsd-questions@freebsd.org In-Reply-To: References: <3.0.1.32.19970410084803.0068a638@mail.warp.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 21:12 13-04-97 +0800, Adrian Chadd wrote: >> >As a note, FreeBSD is immune to the Death Ping (as reported).. I suspect >> >you are tyring to save some susceptable machines in your network from >> >disaster :) >> >> That's one of the mail reasons why we are changing our servers over from >> Linux 1.2.13 to FreeBSD.2.2.1-RELEASE. We're using a firewall on all our >> enrty points to block these and other spoof attempts. > >I *KNOW* that bit *grin* >I'm not worried about our machines dying, I'm worried about people ping >flooding our modems, both internally (user - user) and externally (world - >user / machine). All a user has to do to ping flood another user off is >say hit them with a 4kb ping packet from a decently-connected host to the >net. We filter for them on our leased lines and on our dial-in lines. That way it's hard to get attacked from the Internet and also a malicious users can't do it to us if they were a customer of ours. It also protects our other clients from them being attacked if they got up someones nose in a news group or IRC room :) >Also - Ive logged a couple gig of ICMPs going to our dialups over the >week, and thats a lot in australian dollars. When people don't see ping >replies, 9 times out of 10 they stop thinking they've done the deed. They think they've done the deed with us as they are just simply blocked. It's logged to our syslogd host as well. We've sucessfull procecuted one user from another ISP in the UK that tried using our mail server for spamming. In the UK it's a criminal offence to use a computer with out the owners permission under the computer misue act. >I'm pretty sure the cisco 2501 could do that.. but I don't think this is >the list to ask how to play with IOS (unless of course, someone has >already done it :) We use Livingston routers and all you need to do is put it in the filters rule deny 'deny icmp' Regards, Anthony