Ping of Death Ping -s 655507 192.168.0.1

[xenoboy]

I have small 100 pc network using Squid as a proxy server . people in my lan some time send me alot of packets with ping command .. like about ping -s 655507 ..After this ping my Squid server goes down or reboot or not in condition to responce ..How can i save my server by this kind of ping ...


plz help me

xenoboy

[mahin]

Your users seem to be doing some reading you need to catch up .

I am sending you PM just glance through that. BTW from your description I think it is very old ' buffer over flow " sort of thing [ IP packets that exceed the maximum legal length (65535 octets) ] which had been fixed. Unless you are using some old Kernal this may be some thing else. You need to post here some more details about the machine runing Squid for others to help you.

[zaeemarshad]

iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.1 -p icmp -j drop

simply block the icmp requests. better still block icmp-echo-eply. thats much better. btw mahin is right about the buffer over flow attack. that seem to have been fixed a long time ago.

regards
zaeem

[LinuxFreaK]

Dear xenoboy,
Salam,

I think there is another way to do the same thing without using IPChains or IPtables.

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

Best Regards.

[kernel-trap]

Yes very reasonable answers

other way simple turn off your box

[zaeemarshad]

any solution u use mine or linuxfreak's but remember to add the lines to rc.local if u r using redhat/mandrake or redhat derived distro. put in rc.S in slack and deb i guess? not sure about that though. do post if the solutions work. better yet deploy an IDS like snort or LIDS on the server and check who is perpetrating such attacks. u may want to track em down and tell em that u r not that lame. no offense intended.

regards
zaeem

[kernel-trap]

yes right /proc file is recreated at reboots so put in /etc/rc.local

last time i try snort it require lot of software and need seprate machine . other wise your machine performance will be suffered

and for LIDS it is just a kernel patch i think it will easy to setup and administrate

Regards

[newbie]

u also need to block icmp at FORWARD chain otherwise it will eatup all ur bandwidth.


iptables -A FORWARD -p icmp -j DROP

[LinuxFreaK]

Dear All PLUCian's,
Salam,

I forgot to write about rc.local but its gr8 for whome who does not know much about linux just want to add lines in rc.local file located in /etc/rc.d/

Best Regards.

[zaeemarshad]

The rc.local is the linux equivalent of autoexec.bat in windows and is located at /etc/rc.local. put in anycommand u like and it will be executed upon boot.

regards
zaeem

[fawad]

Guys,
Instead of messing with rc.local, you can just put

Code: Select all

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1

in /etc/sysctl.conf in any new distro. run sysctl -p to have it take effect immediately.

In addition to the suggestions above (am digressing from the original question, BTW), you can make a tradeoff between all out ICMP allow and deny by doing

Code: Select all

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute --limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 20/minute --limit-burst 5 -j ACCEPT

to allow a limited rate of ping requests in. Of course, you should do the same on the FORWARD table if the box is serving as a router too.

-fawad