Re: Best way to filter "Nachi pings"?

• Previous message: Francis A. Vidal: "RE: Best way to filter "Nachi pings"?"
• Maybe in reply to: Brett Glass: "Best way to filter "Nachi pings"?"
• Next in thread: Jason Stone: "Re: Best way to filter "Nachi pings"?"
• Reply: Jason Stone: "Re: Best way to filter "Nachi pings"?"
• Reply: Brett Glass: "Re: Best way to filter "Nachi pings"?"
• Reply: Andy Farkas: "Re: Best way to filter "Nachi pings"?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Oct 2003 12:17:11 +0200 (EET)
To: Kris Kennaway <kris@obsecurity.org>

On Mon, 27 Oct 2003, Kris Kennaway wrote:

> On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote:
> > On Mon, 27 Oct 2003, Kris Kennaway wrote:
> >
> > > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote:
> > > > We're being ping-flooded by the Nachi worm, which probes subnets for
> > > > systems to attack by sending 92-byte ping packets. Unfortunately,
> > > > IPFW doesn't seem to have the ability to filter packets by length.
> > > > Assuming that I stick with IPFW, what's the best way to stem the
> > > > tide?
> > >
> > > Block all ping packets? Most security-conscious admins do this
> >
> > D'oh? I like ping very much and it would make me very sad indeed if I
> > couldn't ping my boxes to solve possible network problems along the way. I
> > fail to see the security problem and possible DoS issues could be solved
> > by using limiting of sort.
>
> The security and DoS concerns are really kind of obvious.

Both of which I believe can be handled in a more civilized way. Blocking
all ping packets to improve security is nothing more than security through
obscurity. It may hide your system against the simplest ping probes, but
it does nothing to improve security as such.

> No-one has a gun to your head though, so I fail to see why you're
> complaining that someone else might do this on their own network.

That was not the reason why I complained. The reason was someday some
newbie might read your post and come to the conclusion that blocking all
ping packets is the only solution and even a good one, which is what I
disagree with.

> > Definitely this block-all approach is not sane, its like if someone
> > complains about NFS being broken you'd say disable it. Filtering packets
> > by length on the other hand is a very nice feature to have.
>
> As it happens, ipfw[2] does this anyway.

IMHO this is the correct answer that might have been given right away.

        -jake

-- 
Jarkko Santala <jake(ät)iki.fi>  System Administrator  http://iki.fi/jake/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Francis A. Vidal: "RE: Best way to filter "Nachi pings"?"
• Maybe in reply to: Brett Glass: "Best way to filter "Nachi pings"?"
• Next in thread: Jason Stone: "Re: Best way to filter "Nachi pings"?"
• Reply: Jason Stone: "Re: Best way to filter "Nachi pings"?"
• Reply: Brett Glass: "Re: Best way to filter "Nachi pings"?"
• Reply: Andy Farkas: "Re: Best way to filter "Nachi pings"?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]