Re: Best way to filter "Nachi pings"?
From: Kris Kennaway (kris_at_obsecurity.org)
Date: 10/27/03
- Previous message: Mark Murray: "Re: hardware crypto and SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Oct 2003 01:34:35 -0800 To: Jarkko Santala <jake@iki.fi>
On Mon, Oct 27, 2003 at 11:06:52AM +0200, Jarkko Santala wrote:
> On Mon, 27 Oct 2003, Kris Kennaway wrote:
>
> > On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote:
> > > We're being ping-flooded by the Nachi worm, which probes subnets for
> > > systems to attack by sending 92-byte ping packets. Unfortunately,
> > > IPFW doesn't seem to have the ability to filter packets by length.
> > > Assuming that I stick with IPFW, what's the best way to stem the
> > > tide?
> >
> > Block all ping packets? Most security-conscious admins do this
>
> D'oh? I like ping very much and it would make me very sad indeed if I
> couldn't ping my boxes to solve possible network problems along the way. I
> fail to see the security problem and possible DoS issues could be solved
> by using limiting of sort.
The security and DoS concerns are really kind of obvious.
No-one has a gun to your head though, so I fail to see why you're
complaining that someone else might do this on their own network.
> Definitely this block-all approach is not sane, its like if someone
> complains about NFS being broken you'd say disable it. Filtering packets
> by length on the other hand is a very nice feature to have.
As it happens, ipfw[2] does this anyway.
Kris
- application/pgp-signature attachment: stored
- Previous message: Mark Murray: "Re: hardware crypto and SSL?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
