Re: Best way to filter "Nachi pings"?

• Previous message: Sam Leffler: "Re: hardware crypto and SSL?"
• In reply to: Jason Stone: "Re: Best way to filter "Nachi pings"?"
• Next in thread: Brett Glass: "Re: Best way to filter "Nachi pings"?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Oct 2003 22:23:53 +1100 (EST)
To: Jason Stone <freebsd-security@dfmm.org>

> > Blocking all ping packets to improve security is nothing more than
> > security through obscurity.
>
> No, you're missing the point - when all of my clients started massively
> pinging the internet, the load on my nat box brings down connectivity for
> my whole office. We're not talking about obscuring the layout of a
> network - we're talking about a client that is massively flooding with a
> particular kind of traffic, and so we're blocking that traffic to avoid
> dos. That traffic just happens to be ping traffic. Yes, not being able
> to send outbound pings is unfortunate, but if the alternative is to lose
> your connectivity entirely, blocking pings seems preferable.

> iplen len
> Matches IP packets whose total length, including header and
> data, is len bytes.
>
> However, this isn't going to help most people with 4.x systems, so their
> best option is probably still to block all pings.

The "best" option is to actively monitor for this worm (its NOT difficult,
a few lines of awk and tcpdump does fine here), *DETECT* the worm on your
customers machine, mail them, mail your support team and BOOT THEM. I've
been doing it here since about 4 hours after blaster hit, and it's saved
us immeasurable pain. We're lucky to have 2 users a day get (re)infected.

Detecting them, identifying them and kicking them off the appropriate NAS
they are attached to, including sending e-mail, takes under 15 seconds. It
minimises the chances of them infecting anyone else, AND reduces the
impact on your network.

Oh, filtering ingress traffic to minimise its entry into your network is a
good thing too.

YMMV.

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Sam Leffler: "Re: hardware crypto and SSL?"
• In reply to: Jason Stone: "Re: Best way to filter "Nachi pings"?"
• Next in thread: Brett Glass: "Re: Best way to filter "Nachi pings"?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Best way to filter "Nachi pings"? ... > security through obscurity. ... you're missing the point - when all of my clients started massively ... your connectivity entirely, blocking pings seems preferable. ... could just allow outbound pings from the unix machines.... ... (FreeBSD-Security) RE: ICMP (Ping) ... To go straight to running a vuln scan against a box that isn't up ... Not seemingly from all the replies that I have seen. ... dictates that most do that and that is why many people block pings. ... - Precisely Define and Implement Network Security ... (Security-Basics) Re: NLB Cluster - Ping fails or long time to reply from outside local subnet ... Using Network Monitor I see the pings being received and replies being sent ... Windows Server 2008 Readiness Team ... administered address is being set correctly on the cluster adapter. ... (microsoft.public.windows.server.clustering) Re: 192.168.x.x oddities ... When I went to the server to see if I could connect to a share on the ... I run a small network at home, using a wireless router to connect to a ... and unrouteable on the Internet. ... Am I therefore correct in my assumption that the ISP is routing my pings ... (Security-Basics) Two routers, same configuration, different result ... We plan to retire the box acting as our network router and merge ... Pings from the internal network to the router's internal address work. ... iface lo inet loopback ... (comp.os.linux.networking)