Ping of Death Ping -s 655507 192.168.0.1

Taking care of your Linux box.

Ping of Death Ping -s 655507 192.168.0.1

Postby xenoboy » Sat Dec 27, 2003 3:36 pm

I have small 100 pc network using Squid as a proxy server . people in my lan some time send me alot of packets with ping command .. like about ping -s 655507 ..After this ping my Squid server goes down or reboot or not in condition to responce ..How can i save my server by this kind of ping ...


plz help me

xenoboy
xenoboy
Cadet
 
Posts: 11
Joined: Fri Dec 26, 2003 5:07 pm
WLM: shahiddba@hotmail.com
Yahoo Messenger: shahiddba
Location: Karachi

Postby mahin » Sat Dec 27, 2003 6:46 pm

Your users seem to be doing some reading ;) you need to catch up :).

I am sending you PM just glance through that. BTW from your description I think it is very old ' buffer over flow " sort of thing [ IP packets that exceed the maximum legal length (65535 octets) ] which had been fixed. Unless you are using some old Kernal this may be some thing else. You need to post here some more details about the machine runing Squid for others to help you.
mahin
Major
 
Posts: 605
Joined: Wed Aug 07, 2002 8:00 pm
Website: http://www.linuxpakistan.net/wiki/index.php/LinuxPakistanKarachi
Location: Karachi

Postby zaeemarshad » Sat Dec 27, 2003 11:33 pm

iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.1 -p icmp -j drop

simply block the icmp requests. better still block icmp-echo-eply. thats much better. btw mahin is right about the buffer over flow attack. that seem to have been fixed a long time ago.

regards
zaeem
Last edited by zaeemarshad on Mon Dec 29, 2003 12:21 am, edited 1 time in total.
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad

Re:

Postby LinuxFreaK » Sun Dec 28, 2003 8:16 pm

Dear xenoboy,
Salam,

I think there is another way to do the same thing without using IPChains or IPtables.

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all


Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby kernel-trap » Sun Dec 28, 2003 9:41 pm

Yes very reasonable answers

other way simple turn off your box :)
kernel-trap
Havaldaar
 
Posts: 105
Joined: Thu Dec 25, 2003 2:31 pm

Postby zaeemarshad » Mon Dec 29, 2003 12:20 am

any solution u use mine or linuxfreak's but remember to add the lines to rc.local if u r using redhat/mandrake or redhat derived distro. put in rc.S in slack and deb i guess? not sure about that though. do post if the solutions work. better yet deploy an IDS like snort or LIDS on the server and check who is perpetrating such attacks. u may want to track em down and tell em that u r not that lame. no offense intended. :)

regards
zaeem
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad

Postby kernel-trap » Mon Dec 29, 2003 12:34 am

yes right /proc file is recreated at reboots so put in /etc/rc.local

last time i try snort it require lot of software and need seprate machine . other wise your machine performance will be suffered

and for LIDS it is just a kernel patch i think it will easy to setup and administrate

Regards
kernel-trap
Havaldaar
 
Posts: 105
Joined: Thu Dec 25, 2003 2:31 pm

Postby newbie » Mon Dec 29, 2003 1:49 am

u also need to block icmp at FORWARD chain otherwise it will eatup all ur bandwidth.


iptables -A FORWARD -p icmp -j DROP
newbie
Company Havaldaar Major
 
Posts: 156
Joined: Thu Aug 08, 2002 4:18 am
WLM: usman_fool@hotmail.com
Location: lahore

Re:

Postby LinuxFreaK » Mon Dec 29, 2003 8:02 pm

Dear All PLUCian's,
Salam,

I forgot to write about rc.local :P but its gr8 for whome who does not know much about linux just want to add lines in rc.local file located in /etc/rc.d/

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby zaeemarshad » Tue Dec 30, 2003 12:26 am

The rc.local is the linux equivalent of autoexec.bat in windows and is located at /etc/rc.local. put in anycommand u like and it will be executed upon boot.

regards
zaeem
zaeemarshad
Lieutenant Colonel
 
Posts: 660
Joined: Sat Jul 06, 2002 12:35 pm
Website: http://zaeem.no-ip.org
WLM: zarshadvirk@hotmail.com
Yahoo Messenger: negativecreep61@yahoo.com
AOL: zarshadvirk
Location: Islamabad

Postby fawad » Tue Dec 30, 2003 1:15 am

Guys,
Instead of messing with rc.local, you can just put

Code: Select all

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1

in /etc/sysctl.conf in any new distro. run sysctl -p to have it take effect immediately.

In addition to the suggestions above (am digressing from the original question, BTW), you can make a tradeoff between all out ICMP allow and deny by doing

Code: Select all

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 -j ACCEPT

to allow a limited rate of ping requests in. Of course, you should do the same on the FORWARD table if the box is serving as a router too.

-fawad
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL


Return to “%s” Administration

Who is online

Users browsing this forum: No registered users and 1 guest

cron