From: Michael Kearey <mutk@iprimus.com.au>
To: Netfilter Group <netfilter@lists.netfilter.org>
Subject: Re: icmp echo requests
Date: Tue, 30 Sep 2003 08:51:17 +1000 [thread overview]
Message-ID: <3F78B765.6060003@iprimus.com.au> (raw)
In-Reply-To: <Pine.LNX.4.53.0309291238510.2782@xena.cft.ca.us>
Jim Carter wrote:
> On Mon, 29 Sep 2003, cc wrote:
>
>>I've been monitoring the NAT router with pktstat and am a little
>>perturbed to see quite a lot of icmp echo requests. Now I've
>>setup my Linux firewall to reject icmp echo requests.
>>
>>Is this the right(?)/correct/valid/appropriate thing to do?
>
>
> I see a lot of pings too. At home my Linksys residential gateway reports
> that they look like they were address spoofed. (So how did it figure that
> out?) This leads me to suspect that they are part of a distributed denial
> of service attack -- the alleged origin of the ping, to which you are
> supposed to send a packet, is the victim.
Not necessarily. The pings may be originating from Internal infected
Windows machines..See below
>
> Before my home Linux gateway blew its motherboard, I just dropped all pings
> (in fact, just about everything) on the wild-side interface. Best not to
> send ICMP-host-unreachable; best to drop all unsolicited packets silently,
> except for AUTH requests, for which a rejection saves you an annoying
> timeout. Except, I like to monitor the home machine from work, so I accept
> pings from the work subnet only.
>
> James F. Carter Voice 310 825 2897 FAX 310 206 6673
> UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
> Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)
>
>
There are some Virus that cause the infected hosts to spew out lots of
pings. I have seen it , and it brought a gateway/firewall to it's
knees there were so many..
Since then I have done something like this:
# Add rate limiting to prevent DDos from within - Like some Worms and
# Viruses tend to produce
iptables -N echo_rate_limit
iptables -I echo_rate_limit -j DROP
iptables -I echo_rate_limit -m limit --limit 1 --limit-burst 2 -j $LOG
--log-prefix "ICMP rate exceeded: "
iptables -I echo_rate_limit -m limit -p ICMP --limit 1 --limit-burst 5
-j RETURN
iptables -I FORWARD -p ICMP -j echo_rate_limit
I did it this way so I could easily insert the rate limit in an
existing forwarding firewall. But you should be able to get the idea
of rate limiting the echo-requests from what you see..
The best thing to do of course is fix the infected hosts.. That's why
I log before dropping.
My appologies to OP for replying directly to him....
Cheers,
Michael
next prev parent reply other threads:[~2003-09-29 22:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-29 6:15 icmp echo requests cc
2003-09-29 6:55 ` Louie Miranda
2003-09-29 19:49 ` Jim Carter
2003-09-29 22:51 ` Michael Kearey [this message]
2003-09-30 1:26 ` cc
-- strict thread matches above, loose matches on Subject: below --
2003-10-01 20:13 Daniel Chemko
2003-09-29 4:32 Edmund
2003-10-01 12:58 ` Jamie Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F78B765.6060003@iprimus.com.au \
--to=mutk@iprimus.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.