Re: DoS attack - advice needed

From: Antonio Carlos Pina (apina@infolink.com.br)
Date: 03/22/01

• Next message: Ronan Lucio: "Re: DoS attack - advice needed"
• Previous message: oldfart@gtonet: "RE: DoS attack - advice needed"
• In reply to: Chris Byrnes: "Re: DoS attack - advice needed"
• Next in thread: Dag-Erling Smorgrav: "Re: DoS attack - advice needed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Antonio Carlos Pina" <apina@infolink.com.br>
To: <freebsd-security@freebsd.org>
Date: Thu, 22 Mar 2001 17:18:22 -0300

Hello Chris,

I will give you just one reason: Path-mtu discovery.

Unless you have such type of icmp enabled, some networks won't access your
site.

Best Regards,

Cordialmente,
Antonio Carlos Pina
Diretor de Tecnologia
INFOLINK Internet
http://www.infolink.com.br

----- Original Message -----
From: "Chris Byrnes" <chris@jeah.net>
To: <scanner@jurai.net>
Cc: "Marc Rogers" <marcr@shady.org>; <freebsd-security@FreeBSD.ORG>
Sent: Thursday, March 22, 2001 2:22 PM
Subject: Re: DoS attack - advice needed

> > Do *NOT* block ICMP point blank at ALL. If you need to filter certain
> > type's and code's, fine. But NEVER slap an embargo on the entire ICMP
> > protocol. The mentality to do this blows me away every time I hear it
> > uttered from people.
>
> Why? If you have idiots running ping -f yourserver.com from 150 ISPs
> around the world, you're going to want to filter ICMP. That's what I did
> awhile back.
>
> And I haven't found a valid reason to re-enable it.
>
>
>
> + Chris Byrnes, chris@JEAH.net
> + JEAH Communications
> + 1-866-AWW-JEAH (Toll-Free)
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Ronan Lucio: "Re: DoS attack - advice needed"
• Previous message: oldfart@gtonet: "RE: DoS attack - advice needed"
• In reply to: Chris Byrnes: "Re: DoS attack - advice needed"
• Next in thread: Dag-Erling Smorgrav: "Re: DoS attack - advice needed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: 2000 server solution ... Definitely not on layer 2 or 3. ... Give me a reason to hide something, that is designed for public access. ... tcp-rst or icmp port unreachable is ... Yes, so please explain, why you consider ICMP echo replies und icmp echo ... (comp.security.firewalls) Re: Ping works, traceroute doesnt ... >> ICMP works but UDP doesn't? ... > There are plenty of reason for which a traceroute might not display ... I have had to have a bit of a fight with firewall admins in the past to ... (comp.os.linux.networking) Re: Couple of concerns with default rc.firewall ... is the last rule in a block-all-by-default firewall) doesn't that mean to ... icmp of any type or anything else. ... > FreeBSD team has decided not to allow certain ICMP's by default. ... > asking if there was a reason for this decision, or if it was an oversight. ... (FreeBSD-Security) Re: Couple of concerns with default rc.firewall ... FreeBSD team has decided not to allow certain ICMP's by default. ... asking if there was a reason for this decision, or if it was an oversight. ... > surprised if this *didn't* block all ICMP packets? ... > Just add the following early on in your firewall ruleset: ... (FreeBSD-Security) Re: filter-prohib/reset <-- not working ... Oh and i forgot one more thing, When im denying ICMP Packets.. ... Best regards, And thanks, ... add reset tcp from any to any, or add unreach filter-prohib tcp from any to any ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint