Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-27-2003, 01:25 AM
|
#1
|
Member
Registered: Jul 2003
Location: manila
Distribution: slackware 8 to 9
Posts: 199
Rep:
|
icmp flooding
hi people!
for weeks went i try to run my netwatch to monitor my internet connection i always see i088235073.rivernet.com.au trying to send me an icmp echo.
how do i stop this bogus site?? i need help....thks!
|
|
|
11-27-2003, 07:31 AM
|
#2
|
Senior Member
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123
Rep:
|
It's not a bogus site:
Code:
$ host i088235073.rivernet.com.au
i088235073.rivernet.com.au has address 203.88.235.73
anyway, the most simple thing to stop those ICMP packets is to block all ICMP traffic
to your pc.
So add some rules to iptables to block ever ICMP that comes to your pc but don't block
the ones you requested
Code:
# this allows outgoing pings
/sbin/iptables -A OUTPUT -p icmp -o eth0 -j ACCEPT
# this makes that ICMP requests to your pc will be dropped, unless you've
# requested them (echo-reply || destination-unreachable || time-exceeded)
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -s 0/0 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i eth0 -j DROP
Feel free to change values, you might not be using eth0 and the -s 0/0 may be useless
too.
|
|
|
11-27-2003, 08:47 AM
|
#3
|
Member
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553
Rep:
|
What about states to make it even safer?
/sbin/iptables -A OUTPUT -p icmp -o eth0 -m state --state NEW -j ACCEPT
This will only allow NEW pings to get out, but nothing that is related with incoming connections, i.e. RELATED, ESTABLISHED... I think this might stop echo replies even if you accepted the incoming echo request. Or is this unnecessary or even complete crap?
|
|
|
11-27-2003, 01:40 PM
|
#4
|
Senior Member
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123
Rep:
|
IMHO it's useless, I'm only allowing ICMP packets that answer my outgoing ICMP's.
So I don't see how an echo-reply or destination-unreachable or time-exceeded ICMP
can trigger a new outgoing one locally.
But... I could be wrong.
|
|
|
11-27-2003, 02:08 PM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
What about states to make it even safer?
ICMP doesn't maintain state. It's not using "conversations" like TCP does. ICMP is a "message" protocol: it "warns" when networks, hosts or ports are not (made) accessable. For instance if you connect to a restricted TCP port, you get a TCP message back. For the same UDP port you get an ICMP message back. Not all ICMP types are necessary or should be allowed (redirects or broadcast responses for instance): there's /proc/sys/net settings for a lot of ICMP stuff like for example ignoring echoes. To harden the rules Iceman47 gave you, you could add in/outbound ratelimits and deny ICMP types/codes you don't want/need.
|
|
|
11-27-2003, 02:37 PM
|
#6
|
Member
Registered: Jul 2003
Location: Göteborg
Distribution: Arch Linux (current)
Posts: 553
Rep:
|
Aha, I didn't know that. But... What is an echo-reply then? Or do you mean that the echo-reply doesn't contain any information about being a "related" packet to the incoming echo-request? And that TCP packets have for instance the ACK bit set, to say "hey, I belong to an established connection"?
Ah, sorry, I don't mean to hijack the thread, I'm just curious :]
|
|
|
11-27-2003, 02:46 PM
|
#7
|
Senior Member
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123
Rep:
|
For example: you send a ping out, server gets the packet and returns an ICMP with echo-reply set, so you know the server's up.
As your box requested the ICMP, your box knows when an echo-reply returns it's his.
There's no conversation like TCP in UDP, like unSpawn said.
|
|
|
11-27-2003, 02:46 PM
|
#8
|
Member
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137
Rep:
|
Quote:
echo-reply doesn't contain any information about being a "related"
|
Exactly.
By the way... I would like to express my dubts about blocking all ICMP stuff.
This is actually too restrictive, in my opinion. Limiting the amount of them over a range of time is enough. Don't forget ICMP data is a part of networking infrastructure. I would suggest people stop saying "block all ICMPs".
|
|
|
11-27-2003, 02:50 PM
|
#9
|
Senior Member
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123
Rep:
|
Quote:
Originally posted by TheIrish
I would suggest people stop saying "block all ICMPs".
|
I don't say "block all ICMP", I say allow those that you want, drop the rest.
|
|
|
11-27-2003, 03:14 PM
|
#10
|
Member
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137
Rep:
|
Quote:
I don't say "block all ICMP", I say allow those that you want, drop the rest
|
Sorry iceman, i didn't mean that. I actually quite nervous today and I misunderstood a little.
My "I would suggest people stop saying "block all ICMPs". " actually was a general comment and not targeted at you. I meant I am bored of people believing to be cool and suggesting to block ICMPs.
|
|
|
11-27-2003, 03:21 PM
|
#11
|
Senior Member
Registered: Oct 2002
Location: Belgium
Distribution: Debian, Free/OpenBSD
Posts: 1,123
Rep:
|
Quote:
Originally posted by TheIrish
Sorry iceman, i didn't mean that. I actually quite nervous today and I misunderstood a little.
|
No need to appologize
|
|
|
All times are GMT -5. The time now is 04:32 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|