From: Michael Kearey <mutk@iprimus.com.au>
To: Netfilter Group <netfilter@lists.netfilter.org>
Subject: Re: icmp echo requests
Date: Tue, 30 Sep 2003 08:51:17 +1000 [thread overview]
Message-ID: <3F78B765.6060003@iprimus.com.au> (raw)
In-Reply-To: <Pine.LNX.4.53.0309291238510.2782@xena.cft.ca.us>
Jim Carter wrote:
> On Mon, 29 Sep 2003, cc wrote:
>
>>I've been monitoring the NAT router with pktstat and am a little
>>perturbed to see quite a lot of icmp echo requests. Now I've
>>setup my Linux firewall to reject icmp echo requests.
>>
>>Is this the right(?)/correct/valid/appropriate thing to do?
>
>
> I see a lot of pings too. At home my Linksys residential gateway reports
> that they look like they were address spoofed. (So how did it figure that
> out?) This leads me to suspect that they are part of a distributed denial
> of service attack -- the alleged origin of the ping, to which you are
> supposed to send a packet, is the victim.
Not necessarily. The pings may be originating from Internal infected
Windows machines..See below
>
> Before my home Linux gateway blew its motherboard, I just dropped all pings
> (in fact, just about everything) on the wild-side interface. Best not to
> send ICMP-host-unreachable; best to drop all unsolicited packets silently,
> except for AUTH requests, for which a rejection saves you an annoying
> timeout. Except, I like to monitor the home machine from work, so I accept
> pings from the work subnet only.
>
> James F. Carter Voice 310 825 2897 FAX 310 206 6673
> UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
> Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)
>
>
There are some Virus that cause the infected hosts to spew out lots of
pings. I have seen it , and it brought a gateway/firewall to it's
knees there were so many..
Since then I have done something like this:
# Add rate limiting to prevent DDos from within - Like some Worms and
# Viruses tend to produce
iptables -N echo_rate_limit
iptables -I echo_rate_limit -j DROP
iptables -I echo_rate_limit -m limit --limit 1 --limit-burst 2 -j $LOG
--log-prefix "ICMP rate exceeded: "
iptables -I echo_rate_limit -m limit -p ICMP --limit 1 --limit-burst 5
-j RETURN
iptables -I FORWARD -p ICMP -j echo_rate_limit
I did it this way so I could easily insert the rate limit in an
existing forwarding firewall. But you should be able to get the idea
of rate limiting the echo-requests from what you see..
The best thing to do of course is fix the infected hosts.. That's why
I log before dropping.
My appologies to OP for replying directly to him....
Cheers,
Michael
next prev parent reply other threads:[~2003-09-29 22:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-29 6:15 icmp echo requests cc
2003-09-29 6:55 ` Louie Miranda
2003-09-29 19:49 ` Jim Carter
2003-09-29 22:51 ` Michael Kearey [this message]
2003-09-30 1:26 ` cc
-- strict thread matches above, loose matches on Subject: below --
2003-10-01 20:13 Daniel Chemko
2003-09-29 4:32 Edmund
2003-10-01 12:58 ` Jamie Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F78B765.6060003@iprimus.com.au \
--to=mutk@iprimus.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox