[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ICMP drop.

On Thu, 09 Oct 2003, Rudi Starcevic wrote:
>>This *will* make your life miserable, as you suddenly can't connect
>>to, or be connected to from, a large proportion of systems.
> Thanks - sorry such novice questions.

That's fine -- you asked sensible questions, with obvious research, and
accepted assistance. That's more than a lot of people can manage. :)


> I've had Snort up and running only for a day or so and noticed an IP
> that first pinged me then followed up with loads of request on all
> sorts of ports which triggered dozens of alerts.

That would be todays Internet, sadly. If you don't have security from
second one you are on the network, you lose.  I miss the good old days
where there was a chance of a day passing before the first portscan...

> So I had the silly idea to drop icmp packets and be anonymous.

*nod*  It's a good idea, and something that is reasonable to do for
most ICMP packets.

> As I now know you'll also end up lonely if you drop icmp packets So it
> not really possible be anonymous. The machine just has to deal with
> the requests asked of it. 

Well, pretty much. A good firewall should ensure you never see most of
them anyway, but you can't do anything to make certain of not being

Blocking some-but-not-all ICMP is good, though, especially if you have
Windows boxes behind your firewall.

Basically, you *must* allow the following ICMP packet types through, or
your network connection is less functional:

     ICMP 3  - destination unreachable
     ICMP 11 - TTL exceeded
     ICMP 12 - parameter problems

With iptables, the following rules will do that:

iptables -A proto-icmp -p icmp --icmp-type 3 -j ACCEPT
iptables -A proto-icmp -p icmp --icmp-type 11 -j ACCEPT
iptables -A proto-icmp -p icmp --icmp-type 12 -j ACCEPT
iptables -A proto-icmp -p icmp -j DROP

Obviously, you need to hook this into your system your way. :)

> The first step is to monitor those requests with something like Snort.

Personally, I don't bother monitoring with Snort for most of the
attacks. People attack, my firewall ignores it, all is well.


Some television is so much chewing gum for the eyes.
        -- John Mason Brown

Reply to: