ICMP floods

ICMP floods

[Edmund Turner]

Hey everyone!
Im tyring to create a proper ICMP chain that will blocked ICMP flooding
by Viruses and DOS attacks. Would the ruleset below be sufficient?
I cant simulate the exact ICMP flooding, so im only assuming that
limiting the ICMP burst to 10 /sec and limiting it to 5/sec.

Any input is appreciated!!

#####################
#####ICMP CHAINS#####
#####################
/sbin/iptables -N ICMP
/sbin/iptables -F ICMP
/sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j
ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request  -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
5/second  -j ACCEPT
/sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP
DROP: "
/sbin/iptables -A ICMP -p icmp -j DROP


regards
edmund

Re: ICMP floods

[Alistair Tonner]

On October 14, 2003 11:54 pm, Edmund Turner wrote:
> Hey everyone!
> Im tyring to create a proper ICMP chain that will blocked ICMP flooding
> by Viruses and DOS attacks. Would the ruleset below be sufficient?
> I cant simulate the exact ICMP flooding, so im only assuming that
> limiting the ICMP burst to 10 /sec and limiting it to 5/sec.
>
> Any input is appreciated!!
>
> #####################
> #####ICMP CHAINS#####
> #####################
> /sbin/iptables -N ICMP
> /sbin/iptables -F ICMP
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst
> 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst
> 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst
> 10
> /sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -j ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
> #/sbin/iptables -A ICMP -p icmp --icmp-type echo-request  -j ACCEPT
> /sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
> 5/second  -j ACCEPT

The  limit rule above will never be used as the packets are allready accepted 
by the rule above it.



> /sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP
> DROP: "
> /sbin/iptables -A ICMP -p icmp -j DROP
>
>
> regards
> edmund

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: ICMP floods

[Michael Kearey]

Alistair Tonner wrote:
<Snip>
>>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
>>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
>>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request  -j ACCEPT
   ^


>>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
>>5/second  -j ACCEPT
> 
> 
> The  limit rule above will never be used as the packets are allready accepted 
> by the rule above it.
<Snip>

It's commented out isn't it?

Cheers,
Michael

RE: ICMP floods

[Edmund Turner]

Yes it is commented out. Ive added a limit to both echo-request and
echo-replies. Hope this would stop problems exhibit by the Welchia
Virus.

Regards
edmund

#####################
#####ICMP CHAINS#####
#####################
/sbin/iptables -N ICMP
/sbin/iptables -F ICMP
/sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst
10
/sbin/iptables -A ICMP -p icmp --icmp-type echo-reply -m limit --limit
5/second  -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
5/second  -j ACCEPT
#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request  -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type destination-unreachable -j
ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A ICMP -p icmp -j LOG --log-level 5 --log-prefix "ICMP
DROP: "
/sbin/iptables -A ICMP -p icmp -j DROP


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Michael Kearey
Sent: Wednesday, October 15, 2003 3:19 PM
Cc: netfilter@lists.netfilter.org
Subject: Re: ICMP floods

Alistair Tonner wrote:
<Snip>
>>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
>>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
>>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request  -j ACCEPT
   ^


>>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit
--limit
>>5/second  -j ACCEPT
> 
> 
> The  limit rule above will never be used as the packets are allready
accepted 
> by the rule above it.
<Snip>

It's commented out isn't it?

Cheers,
Michael

Re: ICMP floods

[Alistair Tonner]

On October 15, 2003 03:18 am, Michael Kearey wrote:
> Alistair Tonner wrote:
> <Snip>
>
> >>/sbin/iptables -A ICMP -p icmp --icmp-type source-quench -j ACCEPT
> >>/sbin/iptables -A ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
> >>#/sbin/iptables -A ICMP -p icmp --icmp-type echo-request  -j ACCEPT
>
>    ^
>
> >>/sbin/iptables -A ICMP -p icmp --icmp-type echo-request -m limit --limit
> >>5/second  -j ACCEPT
> >
> > The  limit rule above will never be used as the packets are allready
> > accepted by the rule above it.
>
> <Snip>
>
> It's commented out isn't it?

	Okay ... perhaps I should go back to sleep now... *grin*

>
> Cheers,
> Michael

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: ICMP floods

[Jim Carter]

On Wed, 15 Oct 2003, Edmund Turner wrote:
> Im tyring to create a proper ICMP chain that will blocked ICMP flooding
> by Viruses and DOS attacks. Would the ruleset below be sufficient?
> -- snip --
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1 --limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1 --limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1 --limit-burst 10

You need "-j SOMETHING" -- the limit module would bypass the -j action if
it happened too often.  The man page doesn't say the default unit for
 --limit (but it says the default is 3/hour which is kind of infrequent); I
would put in an explicit unit.  Also I doubt you really need separate rate
limiting on each interface.  I see you have ACCEPT rules for every
different type of ICMP packet.  Here's a real simple rule which does
almost the same thing:

iptables -t filter -A FORWARD -p ICMP -m limit --limit 2/second \
	--limit-burst 10 -j ACCEPT
iptables -t filter -A FORWARD -p ICMP -m limit --limit 4/minute -j LOG
iptables -t filter -A FORWARD -P ICMP -j DROP

(Or you could put this in a separate chain like your example: probably just
as efficient if not more so, and more readable.)

Hope this helps!

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc@math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)

RE: ICMP floods

[Edmund Turner]

Jim, Thanks for the tip!. I just noticed that I missed the 'J'. Ive
rewritten the rules as you advised. 

Regards
edmund

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jim Carter
Sent: Thursday, October 16, 2003 12:36 AM
To: Edmund Turner
Cc: netfilter@lists.netfilter.org
Subject: Re: ICMP floods

On Wed, 15 Oct 2003, Edmund Turner wrote:
> Im tyring to create a proper ICMP chain that will blocked ICMP
flooding
> by Viruses and DOS attacks. Would the ruleset below be sufficient?
> -- snip --
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth2 --limit 1
--limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth1 --limit 1
--limit-burst 10
> /sbin/iptables -A ICMP -m limit -p ICMP -i eth0 --limit 1
--limit-burst 10

You need "-j SOMETHING" -- the limit module would bypass the -j action
if
it happened too often.  The man page doesn't say the default unit for
 --limit (but it says the default is 3/hour which is kind of
infrequent); I
would put in an explicit unit.  Also I doubt you really need separate
rate
limiting on each interface.  I see you have ACCEPT rules for every
different type of ICMP packet.  Here's a real simple rule which does
almost the same thing:

iptables -t filter -A FORWARD -p ICMP -m limit --limit 2/second \
	--limit-burst 10 -j ACCEPT
iptables -t filter -A FORWARD -p ICMP -m limit --limit 4/minute -j LOG
iptables -t filter -A FORWARD -P ICMP -j DROP

(Or you could put this in a separate chain like your example: probably
just
as efficient if not more so, and more readable.)

Hope this helps!

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA
90095-1555
Email: jimc@math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for
PGP key)