Re: ICMP floods
From: Bryan Bradsby (Bryan.Bradsby@capnet.state.tx.us)
Date: 02/19/01
- Next message: Chris Johnson: "Firewall rules with natd and IPSEC VPN"
- Previous message: Roman Shterenzon: "Re: Announcement draft for amavisd"
- In reply to: Thomas Cannon: "Re: ICMP floods"
- Next in thread: Boris: "Re: ICMP floods"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Feb 2001 16:26:27 -0600 (CST) From: Bryan Bradsby <Bryan.Bradsby@capnet.state.tx.us> To: Thomas Cannon <tcannon@noops.org>
One of our Certified NT techs installed a personal firewall at home that
was reporting an ICMP "DOS flood" from one of our DNS servers. So he sent
an e-mail to my boss saying he was sure the server was hacked including 10
Megabytes of bitmaps to "prove" it.
I checked the logs and saw 9 packets per second from his box from port 137
to port 137 on the FreeBSD DNS server.
Of course the FreeBSD server was sending back ICMP port unreach, just as
it should, for each of these Netbios queries.
It seems to me these personal firewalls are (by default) set too sensitive
and lump together dangerous and innocuous packet types, resulting in the
customer being very surprised to see all those "people hacking my
computer".
The vendor looks "good" because their product reports "attacks", the
customer feels comfortable that "he is now protected", and legitimate
infrastructure operators repeatedly explain to very skeptical consumers
that one ICMP echo return (per day) is not an attack on their computer.
-bryan bradsby
================================
On Mon, 19 Feb 2001, Thomas Cannon wrote:
> > * Andy Kim <andy@internetesl.com> [010219 13:18] wrote:
> > > Some of the servers have been getting hit several times with ICMP
> > > floods from our FreeBSD server and we can't figure out why. They
> > > believe that someone had hacked in and put a trojan on our box.
> > > Is there any way of finding out what's going on and more importantly,
> > > how to fix the problem? Any help would be greatly appreciated as
> > > I am rather new to FreeBSD.
>
> Hi Andy.
>
> What is being used to detect these ICMP floods? What version of FreeBSD do
> you have? Also, do you see anything in the FBSD machine's logs about icmp
> source-quench or bandwidth-limit icmp packets being issued?
>
> It's possible that the machine is broken, yes, but it's also possible that
> the measuring device is broken, or that something is misconfigured, or god
> only knows what.
>
> Cheers,
>
> tcannon
>
>
> Richard Feynman was a hacker; read any of his books.
> -Bruce Schneier
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Chris Johnson: "Firewall rules with natd and IPSEC VPN"
- Previous message: Roman Shterenzon: "Re: Announcement draft for amavisd"
- In reply to: Thomas Cannon: "Re: ICMP floods"
- Next in thread: Boris: "Re: ICMP floods"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
