Date: Mon, 27 Oct 2003 23:18:28 +0400 From: "Gaspar Chilingarov" <nm@web.am> To: "David G. Andersen" <danderse@cs.utah.edu>, "Brett Glass" <brett@lariat.org> Cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? Message-ID: <20031027191857.32F5A43FBD@mx1.FreeBSD.org>
next in thread | raw e-mail | index | archive | help
Hello here it is the dump of such packets - 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 620185F0: 0002 4A6E40C8 00D05201 ..Jn@H.PR. 62018600: 312E0800 4500005C 99180000 7E01A9DF 1...E..\....~.)_ 62018610: D97110DA D97135EC 08009A83 02000627 Yq.ZYq5l.......' 62018620: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018630: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018640: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018650: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018660: 31 1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.237 (FastEthernet5 6201FF40: 0002 .. 6201FF50: 4A6E40C8 00D05201 312E0800 4500005C Jn@H.PR.1...E..\ 6201FF60: 99190000 7E01A9DD D97110DA D97135ED ....~.)]Yq.ZYq5m 6201FF70: 08009983 02000727 AAAAAAAA AAAAAAAA .......'******** 6201FF80: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FF90: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFA0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFB0: AAAAAAAA AAAAAAAA 31 ********1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.179 (FastEthernet5/0/0), len 92, access denied 61B6B380: 0002 4A6E40C8 00D05201 312E0800 ..Jn@H.PR.1... 61B6B390: 4500005C 98D90000 7E01AA57 D97110DA E..\.Y..~.*WYq.Z 61B6B3A0: D97135B3 0800D283 0200CE26 AAAAAAAA Yq53..R...N&**** 61B6B3B0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3C0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3D0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3E0: AAAAAAAA AAAAAAAA AAAAAAAA 01 ************. and also one packet split to fields: d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 # offset = 0 00:02:4A:6E:40:C8 00:D0:52:01:31:2E 0800 ether frame # offset=14 4500005C # ip frame - 5c mean total len 92 bytes 98D90000 7E01AA57 # 01 means icmp protocol D97110DA D97135B3 #offset=34 0800D283 # icmp header - 08 - type echo req, code 00 0200CE26 # id, queue number #offset=42 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA 01 so . if you can filter by packet content you can easily drop only Nachi's icmp packets .... :) a little bit offtop - I've setup content filters on Lucent Max and this helped a lot to decrease load to network. so we sould seek way to filter by packet content, not by length. With best regards, Gaspar Chilingarov ________________________________________________ WEB ISP - leader in wireless/DSL/dialup services in Armenia. Go to http://www.web.am/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031027191857.32F5A43FBD>