From owner-freebsd-security@FreeBSD.ORG Mon Oct 27 11:19:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93A9516A4B3 for ; Mon, 27 Oct 2003 11:19:05 -0800 (PST) Received: from mail.web.am (wizard.web.am [217.113.0.66]) by mx1.FreeBSD.org (Postfix) with SMTP id 32F5A43FBD for ; Mon, 27 Oct 2003 11:18:57 -0800 (PST) (envelope-from nm@web.am) Received: (qmail 61226 invoked from network); 27 Oct 2003 19:18:29 -0000 Received: from localhost (HELO WEBMailhttpwwwwebam) (127.0.0.1) by localhost with SMTP; 27 Oct 2003 19:18:29 -0000 Received: from client 217.113.1.123 for UebiMiau2.7 (webmail client); Mon, 27 Oct 2003 23:18:28 +0400 Date: Mon, 27 Oct 2003 23:18:28 +0400 From: "Gaspar Chilingarov" To: "David G. Andersen" , "Brett Glass" X-Priority: 3 X-Mailer: WEB Mail http://www.web.am/ 0.1 X-Original-IP: 217.113.1.123 Content-Transfer-Encoding: 8bit X-MSMail-Priority: Medium Importance: Medium Content-Type: text/plain; charset="iso-8859-1"; MIME-Version: 1.0 Message-Id: <20031027191857.32F5A43FBD@mx1.FreeBSD.org> cc: security@freebsd.org Subject: Re: Best way to filter "Nachi pings"? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gaspar Chilingarov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2003 19:19:05 -0000 Hello here it is the dump of such packets - 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 620185F0: 0002 4A6E40C8 00D05201 ..Jn@H.PR. 62018600: 312E0800 4500005C 99180000 7E01A9DF 1...E..\....~.)_ 62018610: D97110DA D97135EC 08009A83 02000627 Yq.ZYq5l.......' 62018620: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018630: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018640: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018650: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018660: 31 1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.237 (FastEthernet5 6201FF40: 0002 .. 6201FF50: 4A6E40C8 00D05201 312E0800 4500005C Jn@H.PR.1...E..\ 6201FF60: 99190000 7E01A9DD D97110DA D97135ED ....~.)]Yq.ZYq5m 6201FF70: 08009983 02000727 AAAAAAAA AAAAAAAA .......'******** 6201FF80: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FF90: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFA0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFB0: AAAAAAAA AAAAAAAA 31 ********1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.179 (FastEthernet5/0/0), len 92, access denied 61B6B380: 0002 4A6E40C8 00D05201 312E0800 ..Jn@H.PR.1... 61B6B390: 4500005C 98D90000 7E01AA57 D97110DA E..\.Y..~.*WYq.Z 61B6B3A0: D97135B3 0800D283 0200CE26 AAAAAAAA Yq53..R...N&**** 61B6B3B0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3C0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3D0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3E0: AAAAAAAA AAAAAAAA AAAAAAAA 01 ************. and also one packet split to fields: d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 # offset = 0 00:02:4A:6E:40:C8 00:D0:52:01:31:2E 0800 ether frame # offset=14 4500005C # ip frame - 5c mean total len 92 bytes 98D90000 7E01AA57 # 01 means icmp protocol D97110DA D97135B3 #offset=34 0800D283 # icmp header - 08 - type echo req, code 00 0200CE26 # id, queue number #offset=42 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA 01 so . if you can filter by packet content you can easily drop only Nachi's icmp packets .... :) a little bit offtop - I've setup content filters on Lucent Max and this helped a lot to decrease load to network. so we sould seek way to filter by packet content, not by length. With best regards, Gaspar Chilingarov ________________________________________________ WEB ISP - leader in wireless/DSL/dialup services in Armenia. Go to http://www.web.am/