2

Is there a simple rule that can be written to stop a ping o' death with iptables?

1
  • 2
    is anything still vulnerable to the ping of death??
    – Zypher
    Commented Nov 17, 2010 at 18:49

1 Answer 1

8

Most modern operating systems are immune to the "ping-of-death" attack. From the IPCHAINS HOWTO (http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-5.html):

5.3 Filtering out Ping of Death

Linux boxes are now immune to the famous Ping of Death, which involves sending an illegally-large ICMP packet which overflows buffers in the TCP stack on the receiver and causes havoc.

If you are protecting boxes which might be vulnerable, you could simply block ICMP fragments. Normal ICMP packets aren't large enough to require fragmentation, so you won't break anything except big pings. I have heard (unconfirmed) reports that some systems required only the last fragment of an oversize ICMP packet to corrupt them, so blocking only the first fragment is not recommended.

You could drop icmp fragments with something like this:

iptables -A FORWARD -p icmp -f -j DROP

But again, unless you're trying to protect some really old equipment, this is all probably unnecessary.

5
  • Thanks for the information. The one rule that I was wondering about was the following: iptables --append protect -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
    – John
    Commented Nov 17, 2010 at 18:56
  • Because of the way iptables handles fragments it is probably a reasonable idea to block them outright anyway. Brief description at: netfilter.org/documentation/HOWTO/…
    – Scott Pack
    Commented Nov 17, 2010 at 19:05
  • @john: the rule you've quoted is simply an ICMP rate limiter. It will only accept at most 1 ICMP packet/second (well, assuming that the packets are rejected by a subsequent rule). It doesn't directly address the same problem.
    – larsks
    Commented Nov 17, 2010 at 19:22
  • Thanks for the information. It is hard to sort through various things one finds online to verify that they do what one intends them to do.
    – John
    Commented Nov 17, 2010 at 20:08
  • @packs: Thanks for the link, I will be sure to read through it.
    – John
    Commented Nov 17, 2010 at 20:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .