Best way to filter "Nachi pings"?

Gaspar Chilingarov nm at web.am
Mon Oct 27 11:19:05 PST 2003 

Hello

here it is the dump of such packets -

6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236
(FastEthernet5
620185F0:              0002 4A6E40C8 00D05201        ..Jn at H.PR.
62018600: 312E0800 4500005C 99180000 7E01A9DF  1...E..\....~.)_
62018610: D97110DA D97135EC 08009A83 02000627  Yq.ZYq5l.......'
62018620: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
62018630: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
62018640: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
62018650: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
62018660: 31                                   1
6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.237
(FastEthernet5
6201FF40:                                0002                ..
6201FF50: 4A6E40C8 00D05201 312E0800 4500005C  Jn at H.PR.1...E..\
6201FF60: 99190000 7E01A9DD D97110DA D97135ED  ....~.)]Yq.ZYq5m
6201FF70: 08009983 02000727 AAAAAAAA AAAAAAAA  .......'********
6201FF80: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
6201FF90: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
6201FFA0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
6201FFB0: AAAAAAAA AAAAAAAA 31                 ********1

6d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.179
(FastEthernet5/0/0), len 92, access denied
61B6B380:     0002 4A6E40C8 00D05201 312E0800    ..Jn at H.PR.1...
61B6B390: 4500005C 98D90000 7E01AA57 D97110DA  E..\.Y..~.*WYq.Z
61B6B3A0: D97135B3 0800D283 0200CE26 AAAAAAAA  Yq53..R...N&****
61B6B3B0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
61B6B3C0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
61B6B3D0: AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA  ****************
61B6B3E0: AAAAAAAA AAAAAAAA AAAAAAAA 01        ************.



and also one packet split to fields:
d17h: IP: s=217.113.16.218 (FastEthernet6/1/0), d=217.113.53.236
(FastEthernet5

# offset = 0
00:02:4A:6E:40:C8 00:D0:52:01:31:2E 0800                ether frame
# offset=14
4500005C                                                        # ip frame -
5c mean total len 92 bytes
98D90000
7E01AA57                                                                 #
01 means icmp protocol
D97110DA
D97135B3
#offset=34
0800D283                                                                #
icmp header  - 08 - type echo req, code 00
0200CE26                                                                 #
id, queue number
#offset=42
AAAAAAAA
AAAAAAAA
AAAAAAAA
AAAAAAAA AAAAAAAA
AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA
AAAAAAAA AAAAAAAA AAAAAAAA AAAAAAAA
AAAAAAAA AAAAAAAA AAAAAAAA 01


so . if you can filter by packet content you can easily drop only Nachi's
icmp packets .... :)
a little bit offtop - I've setup content filters on Lucent Max and this
helped a lot to decrease load to network. so we sould seek way to filter by
packet content, not by length.

With best regards,
Gaspar Chilingarov
________________________________________________
WEB ISP - leader in wireless/DSL/dialup services
in Armenia. Go to http://www.web.am/

More information about the freebsd-security mailing list