Is there a simple rule that can be written to stop a ping o' death with iptables?
Asked
Active
Viewed 3,392 times
1 Answers
8
Most modern operating systems are immune to the "ping-of-death" attack. From the IPCHAINS HOWTO (http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-5.html):
5.3 Filtering out Ping of Death
Linux boxes are now immune to the famous Ping of Death, which involves sending an illegally-large ICMP packet which overflows buffers in the TCP stack on the receiver and causes havoc.
If you are protecting boxes which might be vulnerable, you could simply block ICMP fragments. Normal ICMP packets aren't large enough to require fragmentation, so you won't break anything except big pings. I have heard (unconfirmed) reports that some systems required only the last fragment of an oversize ICMP packet to corrupt them, so blocking only the first fragment is not recommended.
You could drop icmp fragments with something like this:
iptables -A FORWARD -p icmp -f -j DROP
But again, unless you're trying to protect some really old equipment, this is all probably unnecessary.
larsks
- 41,276
- 13
- 117
- 170
-
Thanks for the information. The one rule that I was wondering about was the following: iptables --append protect -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT – John Nov 17 '10 at 18:56
-
Because of the way iptables handles fragments it is probably a reasonable idea to block them outright anyway. Brief description at: http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.3 – Scott Pack Nov 17 '10 at 19:05
-
@john: the rule you've quoted is simply an ICMP rate limiter. It will only accept at most 1 ICMP packet/second (well, assuming that the packets are rejected by a subsequent rule). It doesn't directly address the same problem. – larsks Nov 17 '10 at 19:22
-
Thanks for the information. It is hard to sort through various things one finds online to verify that they do what one intends them to do. – John Nov 17 '10 at 20:08
-