RE: Dropping ICMP Echo Request

["Mike" <mike () superiorholidayadventures ca>]

It looks like you can't do it in Win2K by limiting the protocols in the
NIC's filtering screen.  You can however do it with ISA Server according
to this website:

http://www.isaserver.org/tutorials/How_to_create_a_packet_filter_for_dro
pping_ICMP_Packets_Ping_Requests.html

Good Luck!

Mike Fetherston

> -----Original Message-----
> From: Rodrigo Otaviano [mailto:rodrigo () otaviano com]
> Sent: Monday, November 17, 2003 12:59 PM
> To: Mike; security-basics
> Subject: Re: Dropping ICMP Echo Request
>
> Oh sorry Mike, actually I forgot to mention something: my client is
using
> Windows 2000 Server. They have Microsoft ISA Server installed ( which
I
> don't have so much experience on ), but I couldn't figure out a way to
> achieve my goals with it because these ICMP packets are been sent to
the
> entire subnet and as far as I know, I can only apply filter rules on
> interfaces the ISA Server is attached to.
>
> The situation is something like this:
>
>      flooding of icmp packets
>        |
>        |
>       GATEWAY - ISA SERVER ( x.y.z.5)
>        |
>    |---------------------|--------------------------|
> x.y.z.6           x.y.3z.7                x.y.z.8
>
>
> So I decided to go for Snort, since they don't want to spend a lot of
> money
> on this. My objetive here was to use Snort on this gateway and drop
any
> ICMP
> packets directed to any of these IP addresses.
>
> Rodrigo Otavio Paes de Barros Otaviano
>
>
> On 11/17/03 9:31 AM, "Mike" <mike () superiorholidayadventures ca> wrote:
>
> > Sounds like you might be running Linux.  If you are and are using
> > IPTables you can accomplish this with the following command:
> >
> > iptables -I INPUT -i <outside nic> -p icmp --icmp-type echo-request
-j
> > DROP
> >
> > You could also slow the rate down with with this:
> >
> > iptables -I INPUT -i <outside nic> -p icmp --icmp-type echo-request
-m
> > limit --limit 1/s -j DROP
> >
> > You can fiddle with the numbers on that last one to your liking.
Hope
> > that helps!
> >
> > Mike Fetherston
> >
> > > -----Original Message-----
> > > From: Rodrigo Otaviano [mailto:rodrigo () otaviano com]
> > > Sent: Friday, November 14, 2003 4:36 PM
> > > To: security-basics
> > > Subject: Dropping ICMP Echo Request
> > >
> > > Hi there,
> > >
> > > My goal is to drop some ICMP Echo Request packets in order to
minimize
> > > intense ICMP traffic.
> > >
> > > I know it's possible to implement some active response on Snort for
> > > example
> > > by using it along with FlexResp. For example, if I want to send a
> > message
> > > of
> > > "host and port unreachable" to the sender, I can simply use
something
> > > this:
> > >
> > > alert udp any any -> 192.168.1.0/24 31 (resp: icmp_port,icmp_host;
> > msg:
> > > "example";)
> > >
> > > But that's not exactly what I want to do.
> > >
> > > My question is: is it possible to drop any ICMP Echo Request
instead
> > of
> > > sending a new ICMP back ( by using Snort ) or I would have to use
some
> > > kind
> > > of filter rule manipulation, for example with SnortSam to
> > modify/create an
> > > access control list (acl) on a firewall or router  ?
> > >
> > > Rodrigo Otavio Paes de Barros Otaviano


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------