[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] ICMP protocol
- Subject: Re: [cobalt-security] ICMP protocol
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Mon, 23 Apr 2001 16:41:13 +0100 (BST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, 23 Apr 2001, Markus Noeske wrote:
> has somebody dicovered problems with
> a ping-flood attack on cobalt raqs?
> how to block the icmp protocol on cobalt
> servers?
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type echo-request
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type echo-reply
/sbin/ipchains -A input -j REJECT -p tcp -d 212.158.123.230 33434
/sbin/ipchains -A input -j REJECT -p udp -d 212.158.123.230 33434
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type redirect
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type timestamp-request
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type timestamp-reply
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type address-mask-request
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type address-mask-reply
You need to change the ip address (212.158.123.230) to the IP address of
the RaQ. Make sure ipchains is installed.
If you want it automatically applying on reboot, add the lines to
/etc/rc.d/rc.local.
Filters out ICMP (ping), traceroute to the RaQ etc.
If you *NEED* to be able to ping the RaQ and traceroute to it, then don't
run said commands. You have to be aware, however, that malicous users can
(and do) use tools like ping to tell if their DoS attacks are effecting
the system.
The lines to filter out ICMP redirect and timestamp-request, by the way,
stop people determining the RaQ's Linux kernel remotely. That's possible
with tools like nmap and questo.