Date: Mon, 27 Oct 2003 12:17:11 +0200 (EET) From: Jarkko Santala <jake@iki.fi> To: Kris Kennaway <kris@obsecurity.org> Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? Message-ID: <20031027120642.A96390@trillian.santala.org> In-Reply-To: <20031027093435.GA6111@rot13.obsecurity.org> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027093435.GA6111@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Oct 2003, Kris Kennaway wrote: > On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote: > > On Mon, 27 Oct 2003, Kris Kennaway wrote: > > > > > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote: > > > > We're being ping-flooded by the Nachi worm, which probes subnets fo= r > > > > systems to attack by sending 92-byte ping packets. Unfortunately, > > > > IPFW doesn't seem to have the ability to filter packets by length. > > > > Assuming that I stick with IPFW, what's the best way to stem the > > > > tide? > > > > > > Block all ping packets? Most security-conscious admins do this > > > > D'oh? I like ping very much and it would make me very sad indeed if I > > couldn't ping my boxes to solve possible network problems along the way= =2E I > > fail to see the security problem and possible DoS issues could be solve= d > > by using limiting of sort. > > The security and DoS concerns are really kind of obvious. Both of which I believe can be handled in a more civilized way. Blocking all ping packets to improve security is nothing more than security through obscurity. It may hide your system against the simplest ping probes, but it does nothing to improve security as such. > No-one has a gun to your head though, so I fail to see why you're > complaining that someone else might do this on their own network. That was not the reason why I complained. The reason was someday some newbie might read your post and come to the conclusion that blocking all ping packets is the only solution and even a good one, which is what I disagree with. > > Definitely this block-all approach is not sane, its like if someone > > complains about NFS being broken you'd say disable it. Filtering packet= s > > by length on the other hand is a very nice feature to have. > > As it happens, ipfw[2] does this anyway. IMHO this is the correct answer that might have been given right away. =09-jake --=20 Jarkko Santala <jake(=E4t)iki.fi> System Administrator http://iki.fi/jake= /
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027120642.A96390>