We're being ping-flooded by the Nachi worm, which probes subnets for systems to attack by sending 92-byte ping packets. Unfortunately, IPFW doesn't seem to have the ability to filter packets by length. Assuming that I stick with IPFW, what's the best way to stem the tide? --Brett Glass
On Mon, Oct 27, 2003 at 12:31:46AM -0700, Brett Glass wrote:> We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide?Block all ping packets? Most security-conscious admins do this anyway. Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031027/605235b5/attachment.bin
On 2003-10-27 00:31 -0700, Brett Glass <brett@lariat.org> wrote:> We're being ping-flooded by the Nachi worm, which probes subnets for > systems to attack by sending 92-byte ping packets. Unfortunately, > IPFW doesn't seem to have the ability to filter packets by length. > Assuming that I stick with IPFW, what's the best way to stem the > tide?You could filter by icmptype, with the result that no ICMP ECHO packets would transit your firewall (i.e. ping stops working). Here is what I use on one of my hosts. Comments welcome. # icmp # echo reply, dest unreach, redirect, echo request, ttl exceeded $fwcmd add 07000 allow icmp from me to any out xmit $eth icmptypes 0,3,5,8,11 # echo reply, dest unreach, echo request, ttl exceeded $fwcmd add 07010 allow icmp from any to me in recv $eth icmptypes 0,3,8,11 (The remainder are denied by default.) Greg -- Gregory S. Sutter It is no measure of health to be mailto:gsutter@zer0.org well adjusted to a profoundly http://zer0.org/~gsutter/ sick society. --Krishamurti -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 155 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20031027/869907a2/attachment.bin
Hello here it is the dump of such packets - 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 620185F0: 0002 4A6E40C8 00D05201 ..Jn@H.PR. 62018600: 312E0800 4500005C 99180000 7E01A9DF 1...E..\....~.)_ 62018610: D97110DA D97135EC 08009A83 02000627 Yq.ZYq5l.......' 62018620: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018630: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018640: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018650: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 62018660: 31 1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.237 (FastEthernet5 6201FF40: 0002 .. 6201FF50: 4A6E40C8 00D05201 312E0800 4500005C Jn@H.PR.1...E..\ 6201FF60: 99190000 7E01A9DD D97110DA D97135ED ....~.)]Yq.ZYq5m 6201FF70: 08009983 02000727 AAAAAAAA AAAAAAAA .......'******** 6201FF80: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FF90: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFA0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 6201FFB0: AAAAAAAA AAAAAAAA 31 ********1 6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.179 (FastEthernet5/0/0), len 92, access denied 61B6B380: 0002 4A6E40C8 00D05201 312E0800 ..Jn@H.PR.1... 61B6B390: 4500005C 98D90000 7E01AA57 D97110DA E..\.Y..~.*WYq.Z 61B6B3A0: D97135B3 0800D283 0200CE26 AAAAAAAA Yq53..R...N&**** 61B6B3B0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3C0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3D0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA **************** 61B6B3E0: AAAAAAAA AAAAAAAA AAAAAAAA 01 ************. and also one packet split to fields: d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236 (FastEthernet5 # offset = 0 00:02:4A:6E:40:C8 00:D0:52:01:31:2E 0800 ether frame # offset=14 4500005C # ip frame - 5c mean total len 92 bytes 98D90000 7E01AA57 # 01 means icmp protocol D97110DA D97135B3 #offset=34 0800D283 # icmp header - 08 - type echo req, code 00 0200CE26 # id, queue number #offset=42 AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA 01 so . if you can filter by packet content you can easily drop only Nachi's icmp packets .... :) a little bit offtop - I've setup content filters on Lucent Max and this helped a lot to decrease load to network. so we sould seek way to filter by packet content, not by length. With best regards, Gaspar Chilingarov ________________________________________________ WEB ISP - leader in wireless/DSL/dialup services in Armenia. Go to http://www.web.am/