LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-27-2003, 01:25 AM   #1
slack66
Member
 
Registered: Jul 2003
Location: manila
Distribution: slackware 8 to 9
Posts: 199

Rep: Reputation: 30
icmp flooding


hi people!
for weeks went i try to run my netwatch to monitor my internet connection i always see i088235073.rivernet.com.au trying to send me an icmp echo.
how do i stop this bogus site?? i need help....thks!
 
Old 11-27-2003, 07:31 AM   #2
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
It's not a bogus site:
Code:
$ host i088235073.rivernet.com.au
i088235073.rivernet.com.au has address 203.88.235.73
anyway, the most simple thing to stop those ICMP packets is to block all ICMP traffic
to your pc.
So add some rules to iptables to block ever ICMP that comes to your pc but don't block
the ones you requested

Code:
# this allows outgoing pings
/sbin/iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT

# this makes that ICMP requests to your pc will be dropped, unless you've
# requested them (echo-reply || destination-unreachable || time-exceeded)
/sbin/iptables -A INPUT  -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT  -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT  -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i eth0 -j DROP
Feel free to change values, you might not be using eth0 and the -s 0/0 may be useless
too.
 
Old 11-27-2003, 08:47 AM   #3
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
What about states to make it even safer?

/sbin/iptables -A OUTPUT -p icmp -o eth0 -m state --state NEW -j ACCEPT

This will only allow NEW pings to get out, but nothing that is related with incoming connections, i.e. RELATED, ESTABLISHED... I think this might stop echo replies even if you accepted the incoming echo request. Or is this unnecessary or even complete crap?
 
Old 11-27-2003, 01:40 PM   #4
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
IMHO it's useless, I'm only allowing ICMP packets that answer my outgoing ICMP's.
So I don't see how an echo-reply or destination-unreachable or time-exceeded ICMP
can trigger a new outgoing one locally.
But... I could be wrong.
 
Old 11-27-2003, 02:08 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
What about states to make it even safer?
ICMP doesn't maintain state. It's not using "conversations" like TCP does. ICMP is a "message" protocol: it "warns" when networks, hosts or ports are not (made) accessable. For instance if you connect to a restricted TCP port, you get a TCP message back. For the same UDP port you get an ICMP message back. Not all ICMP types are necessary or should be allowed (redirects or broadcast responses for instance): there's /proc/sys/net settings for a lot of ICMP stuff like for example ignoring echoes. To harden the rules Iceman47 gave you, you could add in/outbound ratelimits and deny ICMP types/codes you don't want/need.
 
Old 11-27-2003, 02:37 PM   #6
Bebo
Member
 
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553

Rep: Reputation: 31
Aha, I didn't know that. But... What is an echo-reply then? Or do you mean that the echo-reply doesn't contain any information about being a "related" packet to the incoming echo-request? And that TCP packets have for instance the ACK bit set, to say "hey, I belong to an established connection"?

Ah, sorry, I don't mean to hijack the thread, I'm just curious :]
 
Old 11-27-2003, 02:46 PM   #7
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
For example: you send a ping out, server gets the packet and returns an ICMP with echo-reply set, so you know the server's up.
As your box requested the ICMP, your box knows when an echo-reply returns it's his.
There's no conversation like TCP in UDP, like unSpawn said.
 
Old 11-27-2003, 02:46 PM   #8
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
echo-reply doesn't contain any information about being a "related"
Exactly.
By the way... I would like to express my dubts about blocking all ICMP stuff.
This is actually too restrictive, in my opinion. Limiting the amount of them over a range of time is enough. Don't forget ICMP data is a part of networking infrastructure. I would suggest people stop saying "block all ICMPs".
 
Old 11-27-2003, 02:50 PM   #9
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by TheIrish
I would suggest people stop saying "block all ICMPs".
I don't say "block all ICMP", I say allow those that you want, drop the rest.
 
Old 11-27-2003, 03:14 PM   #10
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
I don't say "block all ICMP", I say allow those that you want, drop the rest
Sorry iceman, i didn't mean that. I actually quite nervous today and I misunderstood a little.
My "I would suggest people stop saying "block all ICMPs". " actually was a general comment and not targeted at you. I meant I am bored of people believing to be cool and suggesting to block ICMPs.
 
Old 11-27-2003, 03:21 PM   #11
iceman47
Senior Member
 
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123

Rep: Reputation: 47
Quote:
Originally posted by TheIrish
Sorry iceman, i didn't mean that. I actually quite nervous today and I misunderstood a little.
No need to appologize
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
prevent flooding on firerwall masand Linux - Networking 3 08-09-2005 04:53 PM
flooding ohcarol Linux - Security 9 06-25-2005 11:05 AM
ICMP traffic archives/writing ICMP traffic in a file maia_1 Programming 0 07-20-2004 04:43 AM
flooding the network at certain level becky_starr Linux - Networking 2 03-16-2004 02:31 PM
nmbd keeps flooding my system saturn_vk Slackware 1 03-01-2003 07:08 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration