Security Basics mailing list archives
Re: Dropping ICMP Echo Request
From: Rodrigo Otaviano <rodrigo () otaviano com>
Date: Mon, 17 Nov 2003 09:58:43 -0800
Oh sorry Mike, actually I forgot to mention something: my client is using Windows 2000 Server. They have Microsoft ISA Server installed ( which I don't have so much experience on ), but I couldn't figure out a way to achieve my goals with it because these ICMP packets are been sent to the entire subnet and as far as I know, I can only apply filter rules on interfaces the ISA Server is attached to. The situation is something like this: flooding of icmp packets | | GATEWAY - ISA SERVER ( x.y.z.5) | |---------------------|--------------------------| x.y.z.6 x.y.3z.7 x.y.z.8 So I decided to go for Snort, since they don't want to spend a lot of money on this. My objetive here was to use Snort on this gateway and drop any ICMP packets directed to any of these IP addresses. Rodrigo Otavio Paes de Barros Otaviano On 11/17/03 9:31 AM, "Mike" <mike () superiorholidayadventures ca> wrote:
Sounds like you might be running Linux. If you are and are using IPTables you can accomplish this with the following command: iptables -I INPUT -i <outside nic> -p icmp --icmp-type echo-request -j DROP You could also slow the rate down with with this: iptables -I INPUT -i <outside nic> -p icmp --icmp-type echo-request -m limit --limit 1/s -j DROP You can fiddle with the numbers on that last one to your liking. Hope that helps! Mike Fetherston-----Original Message----- From: Rodrigo Otaviano [mailto:rodrigo () otaviano com] Sent: Friday, November 14, 2003 4:36 PM To: security-basics Subject: Dropping ICMP Echo Request Hi there, My goal is to drop some ICMP Echo Request packets in order to minimize intense ICMP traffic. I know it's possible to implement some active response on Snort for example by using it along with FlexResp. For example, if I want to send amessageof "host and port unreachable" to the sender, I can simply use something this: alert udp any any -> 192.168.1.0/24 31 (resp: icmp_port,icmp_host;msg:"example";) But that's not exactly what I want to do. My question is: is it possible to drop any ICMP Echo Request insteadofsending a new ICMP back ( by using Snort ) or I would have to use some kind of filter rule manipulation, for example with SnortSam tomodify/create anaccess control list (acl) on a firewall or router ? Rodrigo Otavio Paes de Barros Otaviano
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Dropping ICMP Echo Request Rodrigo Otaviano (Nov 17)
- <Possible follow-ups>
- RE: Dropping ICMP Echo Request Mike (Nov 17)
- Re: Dropping ICMP Echo Request Rodrigo Otaviano (Nov 17)
- RE: Dropping ICMP Echo Request Mike (Nov 17)