Best way to filter "Nachi pings"?
Ross Wheeler
rossw at albury.net.au
Mon Oct 27 03:24:00 PST 2003
> > Blocking all ping packets to improve security is nothing more than
> > security through obscurity.
>
> No, you're missing the point - when all of my clients started massively
> pinging the internet, the load on my nat box brings down connectivity for
> my whole office. We're not talking about obscuring the layout of a
> network - we're talking about a client that is massively flooding with a
> particular kind of traffic, and so we're blocking that traffic to avoid
> dos. That traffic just happens to be ping traffic. Yes, not being able
> to send outbound pings is unfortunate, but if the alternative is to lose
> your connectivity entirely, blocking pings seems preferable.
> iplen len
> Matches IP packets whose total length, including header and
> data, is len bytes.
>
> However, this isn't going to help most people with 4.x systems, so their
> best option is probably still to block all pings.
The "best" option is to actively monitor for this worm (its NOT difficult,
a few lines of awk and tcpdump does fine here), *DETECT* the worm on your
customers machine, mail them, mail your support team and BOOT THEM. I've
been doing it here since about 4 hours after blaster hit, and it's saved
us immeasurable pain. We're lucky to have 2 users a day get (re)infected.
Detecting them, identifying them and kicking them off the appropriate NAS
they are attached to, including sending e-mail, takes under 15 seconds. It
minimises the chances of them infecting anyone else, AND reduces the
impact on your network.
Oh, filtering ingress traffic to minimise its entry into your network is a
good thing too.
YMMV.
More information about the freebsd-security
mailing list