Best way to filter "Nachi pings"?
Gregory Sutter
gsutter at zer0.org
Mon Oct 27 00:57:49 PST 2003
On 2003-10-27 00:31 -0700, Brett Glass <brett at lariat.org> wrote:
> We're being ping-flooded by the Nachi worm, which probes subnets for
> systems to attack by sending 92-byte ping packets. Unfortunately,
> IPFW doesn't seem to have the ability to filter packets by length.
> Assuming that I stick with IPFW, what's the best way to stem the
> tide?
You could filter by icmptype, with the result that no ICMP ECHO
packets would transit your firewall (i.e. ping stops working).
Here is what I use on one of my hosts. Comments welcome.
# icmp
# echo reply, dest unreach, redirect, echo request, ttl exceeded
$fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,11
# echo reply, dest unreach, echo request, ttl exceeded
$fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11
(The remainder are denied by default.)
Greg
--
Gregory S. Sutter It is no measure of health to be
mailto:gsutter at zer0.org well adjusted to a profoundly
http://zer0.org/~gsutter/ sick society. --Krishamurti
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031027/869907a2/attachment.bin
More information about the freebsd-security
mailing list