Ping of Death Ping -s 655507 192.168.0.1
Ping of Death Ping -s 655507 192.168.0.1
I have small 100 pc network using Squid as a proxy server . people in my lan some time send me alot of packets with ping command .. like about ping -s 655507 ..After this ping my Squid server goes down or reboot or not in condition to responce ..How can i save my server by this kind of ping ...
plz help me
xenoboy
plz help me
xenoboy
Your users seem to be doing some reading you need to catch up .
I am sending you PM just glance through that. BTW from your description I think it is very old ' buffer over flow " sort of thing [ IP packets that exceed the maximum legal length (65535 octets) ] which had been fixed. Unless you are using some old Kernal this may be some thing else. You need to post here some more details about the machine runing Squid for others to help you.
I am sending you PM just glance through that. BTW from your description I think it is very old ' buffer over flow " sort of thing [ IP packets that exceed the maximum legal length (65535 octets) ] which had been fixed. Unless you are using some old Kernal this may be some thing else. You need to post here some more details about the machine runing Squid for others to help you.
-
- Lieutenant Colonel
- Posts: 660
- Joined: Sat Jul 06, 2002 12:35 pm
- Location: Islamabad
- Contact:
iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.1 -p icmp -j drop
simply block the icmp requests. better still block icmp-echo-eply. thats much better. btw mahin is right about the buffer over flow attack. that seem to have been fixed a long time ago.
regards
zaeem
simply block the icmp requests. better still block icmp-echo-eply. thats much better. btw mahin is right about the buffer over flow attack. that seem to have been fixed a long time ago.
regards
zaeem
Last edited by zaeemarshad on Mon Dec 29, 2003 12:21 am, edited 1 time in total.
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear xenoboy,
Salam,
I think there is another way to do the same thing without using IPChains or IPtables.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
Best Regards.
Salam,
I think there is another way to do the same thing without using IPChains or IPtables.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
Best Regards.
Farrukh Ahmed
-
- Havaldaar
- Posts: 105
- Joined: Thu Dec 25, 2003 2:31 pm
-
- Lieutenant Colonel
- Posts: 660
- Joined: Sat Jul 06, 2002 12:35 pm
- Location: Islamabad
- Contact:
any solution u use mine or linuxfreak's but remember to add the lines to rc.local if u r using redhat/mandrake or redhat derived distro. put in rc.S in slack and deb i guess? not sure about that though. do post if the solutions work. better yet deploy an IDS like snort or LIDS on the server and check who is perpetrating such attacks. u may want to track em down and tell em that u r not that lame. no offense intended.
regards
zaeem
regards
zaeem
-
- Havaldaar
- Posts: 105
- Joined: Thu Dec 25, 2003 2:31 pm
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear All PLUCian's,
Salam,
I forgot to write about rc.local but its gr8 for whome who does not know much about linux just want to add lines in rc.local file located in /etc/rc.d/
Best Regards.
Salam,
I forgot to write about rc.local but its gr8 for whome who does not know much about linux just want to add lines in rc.local file located in /etc/rc.d/
Best Regards.
Farrukh Ahmed
-
- Lieutenant Colonel
- Posts: 660
- Joined: Sat Jul 06, 2002 12:35 pm
- Location: Islamabad
- Contact:
Guys,
Instead of messing with rc.local, you can just put
in /etc/sysctl.conf in any new distro. run sysctl -p to have it take effect immediately.
In addition to the suggestions above (am digressing from the original question, BTW), you can make a tradeoff between all out ICMP allow and deny by doing
to allow a limited rate of ping requests in. Of course, you should do the same on the FORWARD table if the box is serving as a router too.
-fawad
Instead of messing with rc.local, you can just put
Code: Select all
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1
In addition to the suggestions above (am digressing from the original question, BTW), you can make a tradeoff between all out ICMP allow and deny by doing
Code: Select all
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 -j ACCEPT
-fawad