From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 03:24:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 82F3016A4B3 for ; Mon, 27 Oct 2003 03:24:00 -0800 (PST) Received: from mail.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3A1B43F85 for ; Mon, 27 Oct 2003 03:23:58 -0800 (PST) (envelope-from rossw@albury.net.au) Received: from giroc.albury.net.au (giroc.albury.net.au [203.15.244.13]) by mail.albury.net.au (8.11.1/8.11.1) with ESMTP id h9RBNrT51230; Mon, 27 Oct 2003 22:23:53 +1100 (EST) X-Delivered-To: security@freebsd.org Date: Mon, 27 Oct 2003 22:23:53 +1100 (EST) From: Ross Wheeler To: Jason Stone In-Reply-To: <20031027030027.B8440@walter> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Mon, 27 Oct 2003 03:48:04 -0800 cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 11:24:00 -0000 > > Blocking all ping packets to improve security is nothing more than > > security through obscurity. > > No, you're missing the point - when all of my clients started massively > pinging the internet, the load on my nat box brings down connectivity for > my whole office. We're not talking about obscuring the layout of a > network - we're talking about a client that is massively flooding with a > particular kind of traffic, and so we're blocking that traffic to avoid > dos. That traffic just happens to be ping traffic. Yes, not being able > to send outbound pings is unfortunate, but if the alternative is to lose > your connectivity entirely, blocking pings seems preferable. > iplen len > Matches IP packets whose total length, including header and > data, is len bytes. > > However, this isn't going to help most people with 4.x systems, so their > best option is probably still to block all pings. The "best" option is to actively monitor for this worm (its NOT difficult, a few lines of awk and tcpdump does fine here), *DETECT* the worm on your customers machine, mail them, mail your support team and BOOT THEM. I've been doing it here since about 4 hours after blaster hit, and it's saved us immeasurable pain. We're lucky to have 2 users a day get (re)infected. Detecting them, identifying them and kicking them off the appropriate NAS they are attached to, including sending e-mail, takes under 15 seconds. It minimises the chances of them infecting anyone else, AND reduces the impact on your network. Oh, filtering ingress traffic to minimise its entry into your network is a good thing too. YMMV.