|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Best way to filter "Nachi pings"?
From: Gregory Sutter (gsutter
zer0.org)
Date: Mon Oct 27 2003 - 02:57:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2003-10-27 00:31 -0700, Brett Glass <brettlariat.org> wrote:
> We're being ping-flooded by the Nachi worm, which probes subnets for
> systems to attack by sending 92-byte ping packets. Unfortunately,
> IPFW doesn't seem to have the ability to filter packets by length.
> Assuming that I stick with IPFW, what's the best way to stem the
> tide?
You could filter by icmptype, with the result that no ICMP ECHO
packets would transit your firewall (i.e. ping stops working).
Here is what I use on one of my hosts. Comments welcome.
# icmp
# echo reply, dest unreach, redirect, echo request, ttl exceeded
$fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,11
# echo reply, dest unreach, echo request, ttl exceeded
$fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11
(The remainder are denied by default.)
Greg
--
Gregory S. Sutter It is no measure of health to be
mailto:gsutterzer0.org well adjusted to a profoundly
http://zer0.org/~gsutter/ sick society. --Krishamurti
-----BEGIN PGP SIGNATURE-----
iD8DBQE/nN4KIBUx1YRd/t0RArTFAJ9nwq3BBIkx424hG8TlHFK03B9iSwCfbLWI
8ZoLfiUn38BtvGkTRVH8GvE=
=cf8d
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]