----- Original Message ----- From: "Rick Moen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, April 06, 2003 2:48 PM Subject: Re: [plug] ICMP
> Quoting fooler ([EMAIL PROTECTED]): > > > this will only prevent the kernel logging of warning errors to your log file > > but still the attacker is flooding your network segment... there are lots > > of good routers by default filtering this out.. > > It's really only worth a little effort filtering out bogus or stupidly > constructed network traffic. I personally drop various broadcast > packets, RFC1918 private-IP packets that somehow showed up on the wrong > side of a NAT host, and probably not much else. It's not worth the > time, ruleset complication, CPU load, and RAM to do much else, in my > view. Most of the "illegal" traffic is basically harmless, if you run > your machine attentively, and not worth wasting time on. yes it is basically harmless in the sense that modern hosts are already aware and protect themselves of this kind of attack... unfortunately, if your network is sitting on a big pipe, the rapid speed of incoming illegal packets destined to your network broadcast address will surely affects the performance and speed not only to your hosts but also to your switch and network bandwidth on that network segment... for network bandwidth it will increase the network bandwidth utilization due to broadcast storm... for switch, it will increase cpu utilization, collisions (in case that port is not in full duplex mode) and forwarding latency because when a switch receives a broadcast packet, it will send it to all ports on that switch... and to all hosts on that network segment, it will consume more cpu cycles and ram per host because when a host receives an illegal icmp packet for example... the ethernet module will be the first one to received this packet and validates it (eg. crc error checking and others), then pass it to the ip module and validates it again until it reaches and pass it to the icmp module and validates it again... at the icmp module, the kernel sees it as illegal packet, it will log to a log file if net/ipv4/icmp_ignore_bogus_error_responses is disabled and the kernel will silently discarded it... with this scenario, it is much better to filter this out at the router side rather than on a per host basis :-> > A word about ruleset complication: Filtering routers (what Linux people > tend to rather vaguely call "firewalls") have the problem of not > failsafing: If you make mistakes, you can create hideously problematic > holes in the security perimeter you think you're enforcing. (In that > regard, they differ from application-level proxy gateways.) Therefore, > it pays to have simple rulesets that behave predictably and that you > understand well. yes that is true, the simple the ruleset the better but there is always a trade-off... with regards to mistake configuration.. i always apply this rule "if a problem is not completely understood, it is probably best to provide no solution at all" :-> fooler. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
