[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] ICMP protocol

Subject: [cobalt-security] ICMP protocol
From: "Nic LAWRENCE" <nic@xxxxxxx>
Date: Tue, 24 Apr 2001 22:30:36 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

I'm just in the process of setting up IPChains on my RaQ4i and nicely
conveniently saw your reply below re. ICMP.

One question I have is, is there any particular reason why you specifically
specified the destination IP on the tcp and udp rules? Is there a reason why
you wouldn't want it to apply to "anywhere",.. or do you just "have to"
specify a destination?

Best wishes,
Curious IPChains novice,
Nic

Date: Mon, 23 Apr 2001 16:41:13 +0100 (BST)
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] ICMP protocol
Reply-To: cobalt-security@xxxxxxxxxxxxxxx

On Mon, 23 Apr 2001, Markus Noeske wrote:

> has somebody dicovered problems with
> a ping-flood attack on cobalt raqs?
> how to block the icmp protocol on cobalt
> servers?

/sbin/ipchains -A input -j REJECT -p icmp --icmp-type echo-request
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type echo-reply
/sbin/ipchains -A input -j REJECT -p tcp -d 212.158.123.230 33434
/sbin/ipchains -A input -j REJECT -p udp -d 212.158.123.230 33434
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type redirect
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type timestamp-request
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type timestamp-reply
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type address-mask-request
/sbin/ipchains -A input -j REJECT -p icmp --icmp-type address-mask-reply

You need to change the ip address (212.158.123.230) to the IP address of
the RaQ.  Make sure ipchains is installed.

If you want it automatically applying on reboot, add the lines to
/etc/rc.d/rc.local.

Filters out ICMP (ping), traceroute to the RaQ etc.

If you *NEED* to be able to ping the RaQ and traceroute to it, then don't
run said commands.  You have to be aware, however, that malicous users can
(and do) use tools like ping to tell if their DoS attacks are effecting
the system.

The lines to filter out ICMP redirect and timestamp-request, by the way,
stop people determining the RaQ's Linux kernel remotely.  That's possible
with tools like nmap and questo.

Follow-Ups:
- Re: [cobalt-security] ICMP protocol
  - From: Gareth Bromley

Prev by Date: Re: [cobalt-security] netstat parms
Next by Date: Re: [cobalt-security] netstat parms
Previous by thread: Re: [cobalt-security] ICMP protocol
Next by thread: Re: [cobalt-security] ICMP protocol

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index