Is there a simple rule that can be written to stop a ping o' death with iptables?
1 Answer
Most modern operating systems are immune to the "ping-of-death" attack. From the IPCHAINS HOWTO (http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-5.html):
5.3 Filtering out Ping of Death
Linux boxes are now immune to the famous Ping of Death, which involves sending an illegally-large ICMP packet which overflows buffers in the TCP stack on the receiver and causes havoc.
If you are protecting boxes which might be vulnerable, you could simply block ICMP fragments. Normal ICMP packets aren't large enough to require fragmentation, so you won't break anything except big pings. I have heard (unconfirmed) reports that some systems required only the last fragment of an oversize ICMP packet to corrupt them, so blocking only the first fragment is not recommended.
You could drop icmp fragments with something like this:
iptables -A FORWARD -p icmp -f -j DROP
But again, unless you're trying to protect some really old equipment, this is all probably unnecessary.
-
Thanks for the information. The one rule that I was wondering about was the following: iptables --append protect -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT– JohnCommented Nov 17, 2010 at 18:56
-
Because of the way iptables handles fragments it is probably a reasonable idea to block them outright anyway. Brief description at: netfilter.org/documentation/HOWTO/… Commented Nov 17, 2010 at 19:05
-
@john: the rule you've quoted is simply an ICMP rate limiter. It will only accept at most 1 ICMP packet/second (well, assuming that the packets are rejected by a subsequent rule). It doesn't directly address the same problem.– larsksCommented Nov 17, 2010 at 19:22
-
Thanks for the information. It is hard to sort through various things one finds online to verify that they do what one intends them to do.– JohnCommented Nov 17, 2010 at 20:08
-
@packs: Thanks for the link, I will be sure to read through it.– JohnCommented Nov 17, 2010 at 20:08