Home page logo

nanog logo nanog mailing list archives

Re: [nsp] known networks for broadcast ping attacks
From: Systems Engineer <snash () lightning net>
Date: Wed, 30 Jul 1997 17:38:29 -0400

Well ever since this but was introduced to the outside world,  I have
since modified my present Firewall (ipfwadm v2.3.0) to accomodate.

type  prot source               destination          ports
deny  icmp                any
deny  icmp                any

Depending on the nature of the attack,  that will handle it.  I have
tested it and It has worked on my local machine.

But the best thing to do is if you find no need for a broadcast ICMP
message,  simply filter it at the router.

root () gannett com wrote:

The real problem I see with this particular attack is that there is
nothing short of blocking all ICMPs that 'victim.com' can do. At
not that I am aware of.

Well, I've been filtering ICMP for quite a while at my border routers,

and other than the occasional braindead sendmail configuration, and
the fact that Solaris ping can't handle the "Administratively
return from the IOS filter rule, I've yet to see a major downside.

We have a very large quantity of people hitting our network every day.

Is there a specific reason that you can see to allow ICMP inbound to
a 'victim.com'?  Or at least to more than a handful of specific
addresses?  Perhaps there's a better solution with some sort of ICMP
"proxy" at or just behind the router?

Paul D. Robertson
gatekeeper () gannett com

---     ---     ---     ---     ---     ---     ---     ---     ---
Steven Nash                             ph:  (516)248-8400ext25
Systems Engineer / Network Security    fax:  (516)248-8897
Lightning Internet Services LLC      email:  snash () lightning net
---     ---     ---     ---     ---     ---     ---     ---     ---

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]