Date: Mon, 27 Oct 2003 22:23:53 +1100 (EST) From: Ross Wheeler <rossw@albury.net.au> To: Jason Stone <freebsd-security@dfmm.org> Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? Message-ID: <Pine.BSF.4.31.0310272218340.66532-100000@giroc.albury.net.au> In-Reply-To: <20031027030027.B8440@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Blocking all ping packets to improve security is nothing more than > > security through obscurity. > > No, you're missing the point - when all of my clients started massively > pinging the internet, the load on my nat box brings down connectivity for > my whole office. We're not talking about obscuring the layout of a > network - we're talking about a client that is massively flooding with a > particular kind of traffic, and so we're blocking that traffic to avoid > dos. That traffic just happens to be ping traffic. Yes, not being able > to send outbound pings is unfortunate, but if the alternative is to lose > your connectivity entirely, blocking pings seems preferable. > iplen len > Matches IP packets whose total length, including header and > data, is len bytes. > > However, this isn't going to help most people with 4.x systems, so their > best option is probably still to block all pings. The "best" option is to actively monitor for this worm (its NOT difficult, a few lines of awk and tcpdump does fine here), *DETECT* the worm on your customers machine, mail them, mail your support team and BOOT THEM. I've been doing it here since about 4 hours after blaster hit, and it's saved us immeasurable pain. We're lucky to have 2 users a day get (re)infected. Detecting them, identifying them and kicking them off the appropriate NAS they are attached to, including sending e-mail, takes under 15 seconds. It minimises the chances of them infecting anyone else, AND reduces the impact on your network. Oh, filtering ingress traffic to minimise its entry into your network is a good thing too. YMMV.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0310272218340.66532-100000>