Re: Best way to filter "Nachi pings"?

From: Gaspar Chilingarov (nm_at_web.am)
Date: 10/27/03

  • Next message: Peter C. Lai: "Re: Best way to filter "Nachi pings"?" 
    Date: Mon, 27 Oct 2003 23:18:28 +0400
To: "David G. Andersen" <danderse@cs.utah.edu>, "Brett Glass" <brett@lariat.org>

    Hello

    here it is the dump of such packets -

    6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236
    (FastEthernet5
    620185F0: 0002 4A6E40C8 00D05201 ..Jn@H.PR.
    62018600: 312E0800 4500005C 99180000 7E01A9DF 1...E..\....~.)_
    62018610: D97110DA D97135EC 08009A83 02000627 Yq.ZYq5l.......'
    62018620: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    62018630: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    62018640: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    62018650: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    62018660: 31 1
    6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.237
    (FastEthernet5
    6201FF40: 0002 ..
    6201FF50: 4A6E40C8 00D05201 312E0800 4500005C Jn@H.PR.1...E..\
    6201FF60: 99190000 7E01A9DD D97110DA D97135ED ....~.)]Yq.ZYq5m
    6201FF70: 08009983 02000727 AAAAAAAA AAAAAAAA .......'********
    6201FF80: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    6201FF90: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    6201FFA0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    6201FFB0: AAAAAAAA AAAAAAAA 31 ********1

    6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.179
    (FastEthernet5/0/0), len 92, access denied
    61B6B380: 0002 4A6E40C8 00D05201 312E0800 ..Jn@H.PR.1...
    61B6B390: 4500005C 98D90000 7E01AA57 D97110DA E..\.Y..~.*WYq.Z
    61B6B3A0: D97135B3 0800D283 0200CE26 AAAAAAAA Yq53..R...N&****
    61B6B3B0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    61B6B3C0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    61B6B3D0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA ****************
    61B6B3E0: AAAAAAAA AAAAAAAA AAAAAAAA 01 ************.

    and also one packet split to fields:
    d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236
    (FastEthernet5

    # offset = 0
    00:02:4A:6E:40:C8 00:D0:52:01:31:2E 0800 ether frame
    # offset=14
    4500005C # ip frame -
    5c mean total len 92 bytes
    98D90000
    7E01AA57 #
    01 means icmp protocol
    D97110DA
    D97135B3
    #offset=34
    0800D283 #
    icmp header - 08 - type echo req, code 00
    0200CE26 #
    id, queue number
    #offset=42
    AAAAAAAA
    AAAAAAAA
    AAAAAAAA
    AAAAAAAA AAAAAAAA
    AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA
    AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA
    AAAAAAAA AAAAAAAA AAAAAAAA 01

    so . if you can filter by packet content you can easily drop only Nachi's
    icmp packets .... :)
    a little bit offtop - I've setup content filters on Lucent Max and this
    helped a lot to decrease load to network. so we sould seek way to filter by
    packet content, not by length.

    With best regards,
    Gaspar Chilingarov
    ________________________________________________
    WEB ISP - leader in wireless/DSL/dialup services
    in Armenia. Go to http://www.web.am/

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Peter C. Lai: "Re: Best way to filter "Nachi pings"?"

    Relevant Pages

    • Re: How to set NIC to promiscuous mode from FilterHook driver
      ... So from your reply I take it you are interested in getting packets destined to other hosts -that are not necessarily originated from the host your filter is running on-. ... As I said in my previous post, setting the adapter to promiscuous mode is not going to help you. ... the filter hook driver I mentioned is as per the msdn ...
      (microsoft.public.development.device.drivers)
    • Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"
      ... forges packets for wndows dialup connections. ... I'd pick a switch that could filter on MAC and IP ... > that should be hooked up to that port. ...
      (comp.security.misc)
    • Re: tcpdump broken after rh9 2.4.20-27.9 kernel upgrade
      ... Harry Hoffman writes: ... or they are broadcast packets. ... The filter is real easy. ... you do state that you are seeing broadcast packets. ...
      (RedHat)
    • Re: PF, bridge, states and window scaling problem
      ... My problem comes with the filter rules. ... the bridge use TCP window scaling. ... but not matched by the rest of the packets ... statefull firewall has an unpredictable behaviour on bridges. ...
      (freebsd-questions)
    • Re: Comodo blocking port forwarding
      ... filter to drop every packets, how exactly would you try to circumvent this? ... As for a more practical example: I setup a packet filter to only allow HTTP ... Well, most you say about PFW, can be easily applied ...
      (comp.security.firewalls)