From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 08:32:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66FC516A4B3 for ; Mon, 27 Oct 2003 08:32:48 -0800 (PST) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86E1943FE0 for ; Mon, 27 Oct 2003 08:32:47 -0800 (PST) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id h9RGWlLj099624; Mon, 27 Oct 2003 09:32:47 -0700 (MST) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id h9RGWllr099623; Mon, 27 Oct 2003 09:32:47 -0700 (MST) Date: Mon, 27 Oct 2003 09:32:47 -0700 From: "David G. Andersen" To: Brett Glass Message-ID: <20031027093247.B99164@cs.utah.edu> References: <200310270731.AAA23485@lariat.org> <20031027080240.GA9552@rot13.obsecurity.org> <20031027110203.B96390@trillian.santala.org> <20031027093435.GA6111@rot13.obsecurity.org> <20031027120642.A96390@trillian.santala.org> <6.0.0.22.2.20031027092251.04ad3dd8@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <6.0.0.22.2.20031027092251.04ad3dd8@localhost>; from brett@lariat.org on Mon, Oct 27, 2003 at 09:26:20AM -0700 cc: security@freebsd.org cc: Kris Kennaway Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 16:32:48 -0000 Brett Glass just mooed: > At 03:17 AM 10/27/2003, Jarkko Santala wrote: > > >Blocking > >all ping packets to improve security is nothing more than security through > >obscurity. It may hide your system against the simplest ping probes, but > >it does nothing to improve security as such. > > In our case, there's a more compelling reason. > > Some of our customers' system administrators have utilities > which ping their servers from their home Internet connections > to make sure everything's working. If I were to block pings, > all of these guys' (and gals') pagers and cell phones would go > off at once. I'd be beseiged with demands to remove the block > immediately. Rate-limit them with dummynet on somewhat selective per-subnet basis. It's not perfect, and increases the latency perceived by customers running ping, but it helps a lot compared to doing nothing. -dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.