From: Andy Dustman (adustmanTERRY.UGA.EDU)
Date: Wed Oct 01 2003 - 15:35:01 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2003-10-01 at 10:13, Paul Robichaux wrote:
> Block ICMP packets with length 92 and you're golden. Blocking all ICMP
> causes other problems, as you note; it's equivalent to blocking all, say,
> TCP trafffic in that it improves your security while degrading your
> functionality.

What you should be blocking is the ICMP echo-request (type 8), and then
only ones originating from outside your network. There's no guarantee
that they will be length 92. It does seem that Windows boxes (ones which
I believe are infected with Blaster or Nachi; this may not be true in
general) are generating 92-byte packet with a payload of all 0xAA, Linux
ping (for example) generates an 84-byte packet with a shifting
bit-pattern in the payload, probably for diagnostic purposes.

Dropping ICMP echo-requests that are internal to your network may cause
problems for certain applications (DHCP comes to mind), but YMMV.
Blaster will only try to infect hosts that it can ping.

Worry more about laptops than VPNs...
--
Andy Dustman <adustmanterry.uga.edu>
Office of Information Technology, Terry College of Business, UGA

-----
Wondering as to whether the list is running? The NTBugtraq archives are
updated first before messages are emailed to subscribers. Check the
archives first to see if you have missed any messages;

http://www.ntbugtraq.com/archives

-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]