Date: Mon, 27 Oct 2003 09:32:47 -0700 From: "David G. Andersen" <danderse@cs.utah.edu> To: Brett Glass <brett@lariat.org> Cc: Kris Kennaway <kris@obsecurity.org> Subject: Re: Best way to filter "Nachi pings"? Message-ID: <20031027093247.B99164@cs.utah.edu> In-Reply-To: <6.0.0.22.2.20031027092251.04ad3dd8@localhost>; from brett@lariat.org on Mon, Oct 27, 2003 at 09:26:20AM -0700 References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> <6.0.0.22.2.20031027092251.04ad3dd8@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass just mooed:
> At 03:17 AM 10/27/2003, Jarkko Santala wrote:
>
> >Blocking
> >all ping packets to improve security is nothing more than security through
> >obscurity. It may hide your system against the simplest ping probes, but
> >it does nothing to improve security as such.
>
> In our case, there's a more compelling reason.
>
> Some of our customers' system administrators have utilities
> which ping their servers from their home Internet connections
> to make sure everything's working. If I were to block pings,
> all of these guys' (and gals') pagers and cell phones would go
> off at once. I'd be beseiged with demands to remove the block
> immediately.
Rate-limit them with dummynet on somewhat selective per-subnet
basis. It's not perfect, and increases the latency perceived by
customers running ping, but it helps a lot compared to doing
nothing.
-dave
--
work: dga@lcs.mit.edu me: dga@pobox.com
MIT Laboratory for Computer Science http://www.angio.net/
I do not accept unsolicited commercial email. Do not spam me.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027093247.B99164>