RE: Best way to filter "Nachi pings"?
From: Francis A. Vidal (francisv-sender-21ebc3_at_irc.dagupan.com)
Date: 10/27/03
- Previous message: Jarkko Santala: "Re: Best way to filter "Nachi pings"?"
- In reply to: Jarkko Santala: "Re: Best way to filter "Nachi pings"?"
- Next in thread: Gregory Sutter: "Re: Best way to filter "Nachi pings"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <freebsd-security@freebsd.org> Date: Mon, 27 Oct 2003 17:17:38 +0800
Unfortunately, the Nachi worm uses ICMP echo to probe potential targets. If
you have a Cisco box, you can match the ICMP message generated by Nachi by
it's size and type and do some fancy stuff with it.
-----Original Message-----
From: Jarkko Santala [mailto:jake@iki.fi]
Sent: Monday, October 27, 2003 5:07 PM
To: Kris Kennaway
Cc: security@freebsd.org
Subject: Re: Best way to filter "Nachi pings"?
On Mon, 27 Oct 2003, Kris Kennaway wrote:
> On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote:
> > We're being ping-flooded by the Nachi worm, which probes subnets for
> > systems to attack by sending 92-byte ping packets. Unfortunately,
> > IPFW doesn't seem to have the ability to filter packets by length.
> > Assuming that I stick with IPFW, what's the best way to stem the
> > tide?
>
> Block all ping packets? Most security-conscious admins do this
D'oh? I like ping very much and it would make me very sad indeed if I
couldn't ping my boxes to solve possible network problems along the way. I
fail to see the security problem and possible DoS issues could be solved
by using limiting of sort.
Definitely this block-all approach is not sane, its like if someone
complains about NFS being broken you'd say disable it. Filtering packets
by length on the other hand is a very nice feature to have.
-jake
-- Jarkko Santala <jake(ät)iki.fi> System Administrator http://iki.fi/jake/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Jarkko Santala: "Re: Best way to filter "Nachi pings"?"
- In reply to: Jarkko Santala: "Re: Best way to filter "Nachi pings"?"
- Next in thread: Gregory Sutter: "Re: Best way to filter "Nachi pings"?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
