icmp echo requests

icmp echo requests

[Edmund]

Hi,

I've been monitoring the NAT router with pktstat and am a little
perturbed to see quite a lot of icmp echo requests.  Now I've
setup my Linux firewall to reject icmp echo requests.

Is this the right(?)/correct/valid/appropriate thing to do?

Furthermore (just for clarification) using tcpdump, I get incoming
icmp echo requests, but no response from my firewall(good thing
right?.  This means the firewall is dropping/rejecting the
echo requests?


Here is the line from the firewall script:


iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \
        -j REJECT --reject-with icmp-host-unreachable



Btw, I'm quite bothered about the pings.  It doesn't
look right.

-- 

icmp echo requests

[cc]

Hi,

I've been monitoring the NAT router with pktstat and am a little
perturbed to see quite a lot of icmp echo requests.  Now I've
setup my Linux firewall to reject icmp echo requests.

Is this the right(?)/correct/valid/appropriate thing to do?

Furthermore (just for clarification) using tcpdump, I get incoming
icmp echo requests, but no response from my firewall(good thing
right?.  This means the firewall is dropping/rejecting the
echo requests?


Here is the line from the firewall script:


iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \
        -j REJECT --reject-with icmp-host-unreachable



Btw, I'm quite bothered about the pings.  It doesn't
look right.

-- 

Re: icmp echo requests

[Louie Miranda]

Yes, i believe thats correct.
I have this working example. Their are also some more reject examples, i
used to have a copy but i lost it. Try google for more icmp reject types.

-- snip from 72.creon, haha ----
$IPTABLES -A INPUT -p icmp --icmp-type 8 -d $MYIP -s 0/0 -j
REJECT --reject-with icmp-net-unreachable
-- snip from 72.creon, haha ----


-- -
Louie Miranda
http://www.axishift.com


----- Original Message -----
From: "cc" <cc@kdtc.net>
To: "Netfilter Group" <netfilter@lists.netfilter.org>
Sent: Monday, September 29, 2003 2:15 PM
Subject: icmp echo requests

Re: icmp echo requests

[Jim Carter]

On Mon, 29 Sep 2003, cc wrote:
> I've been monitoring the NAT router with pktstat and am a little
> perturbed to see quite a lot of icmp echo requests.  Now I've
> setup my Linux firewall to reject icmp echo requests.
>
> Is this the right(?)/correct/valid/appropriate thing to do?

I see a lot of pings too.  At home my Linksys residential gateway reports
that they look like they were address spoofed.  (So how did it figure that
out?)  This leads me to suspect that they are part of a distributed denial
of service attack -- the alleged origin of the ping, to which you are
supposed to send a packet, is the victim.

Before my home Linux gateway blew its motherboard, I just dropped all pings
(in fact, just about everything) on the wild-side interface.  Best not to
send ICMP-host-unreachable; best to drop all unsolicited packets silently,
except for AUTH requests, for which a rejection saves you an annoying
timeout.  Except, I like to monitor the home machine from work, so I accept
pings from the work subnet only.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Re: icmp echo requests

[Michael Kearey]

Jim Carter wrote:
> On Mon, 29 Sep 2003, cc wrote:
> 
>>I've been monitoring the NAT router with pktstat and am a little
>>perturbed to see quite a lot of icmp echo requests.  Now I've
>>setup my Linux firewall to reject icmp echo requests.
>>
>>Is this the right(?)/correct/valid/appropriate thing to do?
> 
> 
> I see a lot of pings too.  At home my Linksys residential gateway reports
> that they look like they were address spoofed.  (So how did it figure that
> out?)  This leads me to suspect that they are part of a distributed denial
> of service attack -- the alleged origin of the ping, to which you are
> supposed to send a packet, is the victim.

Not necessarily. The pings may be originating from Internal infected 
Windows machines..See below

> 
> Before my home Linux gateway blew its motherboard, I just dropped all pings
> (in fact, just about everything) on the wild-side interface.  Best not to
> send ICMP-host-unreachable; best to drop all unsolicited packets silently,
> except for AUTH requests, for which a rejection saves you an annoying
> timeout.  Except, I like to monitor the home machine from work, so I accept
> pings from the work subnet only.
> 
> James F. Carter          Voice 310 825 2897    FAX 310 206 6673
> UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
> Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)
> 
>


There are some Virus that cause the infected hosts to spew out lots of 
pings. I have seen it , and it brought a gateway/firewall to it's 
knees there were so many..

Since then I have done something like this:

# Add rate limiting to prevent DDos from within - Like some Worms and
# Viruses tend to produce
iptables -N echo_rate_limit
iptables -I echo_rate_limit -j DROP
iptables -I echo_rate_limit -m limit --limit 1 --limit-burst 2 -j $LOG 
--log-prefix "ICMP rate exceeded: "
iptables -I echo_rate_limit -m limit -p ICMP --limit 1 --limit-burst 5 
-j RETURN

iptables -I FORWARD -p ICMP  -j echo_rate_limit



I did it this way so I could easily insert the rate limit in an 
existing forwarding firewall. But you should be able to get the idea 
of rate limiting the echo-requests from what you see..

The best thing to do of course is fix the infected hosts.. That's why 
I log before dropping.

My appologies to OP for replying directly to him....

Cheers,
Michael

Re: icmp echo requests

[cc]

Jim Carter wrote:

> On Mon, 29 Sep 2003, cc wrote:
> 
>>I've been monitoring the NAT router with pktstat and am a little
>>perturbed to see quite a lot of icmp echo requests.  Now I've
>>setup my Linux firewall to reject icmp echo requests.
>>
>>Is this the right(?)/correct/valid/appropriate thing to do?
> 
> 
> I see a lot of pings too.  At home my Linksys residential gateway reports
> that they look like they were address spoofed.  (So how did it figure that
> out?)  This leads me to suspect that they are part of a distributed denial

I was about to ask you how you figured out that the addresses were
spoofed until I read it carefully. :)  But how exactly does that
happen?  I mean, if it's obvious (incoming Internet packets posing
as packets from internal network IPs) I'd understand, but if I
a packet came from aaa.bbb.ccc.ddd, how does a router determine
the authenticity?

> of service attack -- the alleged origin of the ping, to which you are
> supposed to send a packet, is the victim.

Meaning that the forged packet is sent such that any response from
my system would be sent to the forged packet's IP and not the
real one?   That's scary.  While I have read about DDOSs and DOSs,
it's quite scary that it could just happen to the IPs I handle.

> Before my home Linux gateway blew its motherboard, I just dropped all pings
> (in fact, just about everything) on the wild-side interface.  Best not to
> send ICMP-host-unreachable; best to drop all unsolicited packets silently,

That's a good point.  I'd figure that they could just leave me alone
if I told them no such host.  But then, I'd also contribute to the
ping response.

Thanks Jim

Edmund

Re: icmp echo requests

[Jamie Harris]

> Is this the right(?)/correct/valid/appropriate thing to do?

There's nothing wrong with ignoring echo requests AFAIK, some see it as
being a security enhancement, although there are plenty of other ways to
work out if a host is up or explore a subnet.

> Furthermore (just for clarification) using tcpdump, I get incoming
> icmp echo requests, but no response from my firewall(good thing
> right?.  This means the firewall is dropping/rejecting the
> echo requests?

Sure does.  It confused me a little at first that tcpdump still see's the
packet eventhough its dropped by the firewall.

> Btw, I'm quite bothered about the pings.  It doesn't
> look right.

Where are these comming from?  Does a reverse lookup of the IP mean
anything to you?

cheers

Jamie...


-- 
**  This message was transmitted on 100% recycled electrons **

RE: icmp echo requests

[Daniel Chemko]

I get an average of 1 ping every 2 seconds. It is pretty normal for a
world wide web or SPAMERS, CRACKERS, and VIRII.

>Btw, I'm quite bothered about the pings.  It doesn't
>look right.