Best way to filter "Nachi pings"?
Kris Kennaway
kris at obsecurity.org
Mon Oct 27 01:34:37 PST 2003
On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote:
> On Mon, 27 Oct 2003, Kris Kennaway wrote:
>
> > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote:
> > > We're being ping-flooded by the Nachi worm, which probes subnets for
> > > systems to attack by sending 92-byte ping packets. Unfortunately,
> > > IPFW doesn't seem to have the ability to filter packets by length.
> > > Assuming that I stick with IPFW, what's the best way to stem the
> > > tide?
> >
> > Block all ping packets? Most security-conscious admins do this
>
> D'oh? I like ping very much and it would make me very sad indeed if I
> couldn't ping my boxes to solve possible network problems along the way. I
> fail to see the security problem and possible DoS issues could be solved
> by using limiting of sort.
The security and DoS concerns are really kind of obvious.
No-one has a gun to your head though, so I fail to see why you're
complaining that someone else might do this on their own network.
> Definitely this block-all approach is not sane, its like if someone
> complains about NFS being broken you'd say disable it. Filtering packets
> by length on the other hand is a very nice feature to have.
As it happens, ipfw[2] does this anyway.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031027/1df38774/attachment.bin
More information about the freebsd-security
mailing list