[AusNOG] network security Question
Chris Ricks
chris.ricks at securepay.com.au
Tue May 20 17:31:28 EST 2014
I am reminded of a network security-related request about 10 years ago
from a then-client in a previous role.
It came in the form of a Post-It note containing the following words:
"Block Malaysia!"
The follow-up question was "Who do you know in Malaysia who can test
that you haven't buggered it up?"
On 20/05/14 16:47, Tim March wrote:
> This is a reasonable approach.
>
> I normally do something like this...
>
> --- BEGIN PASTE ---
> remark --- deny unroutable networks ---
> deny ip 0.0.0.0 0.255.255.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip 169.254.0.0 0.0.255.255 any
> deny ip 192.0.2.0 0.0.0.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> deny ip 240.0.0.0 7.255.255.255 any
> deny ip 248.0.0.0 7.255.255.255 any
> deny ip host 255.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> remark --- permit link control and utility traffic ---
> permit icmp any any echo
> permit icmp any any echo-reply
> permit icmp any any host-unknown
> permit icmp any any time-exceeded
> permit icmp any any traceroute
> permit icmp any any unreachable
> permit tcp any any established
> --- END PATE ---
>
> IMO arbitrarily filtering all ICMP serves more to give legitimate actors
> the sh!ts than it does preventing actions from malicious ones. Anyone
> port-scanning or mapping your network is probably doing it with SYN
> anyway, so it's largely pointless.
>
> With regards to arbitrarily blocking whole country netblocks; sure, some
> people do it. Having your IDS/IPS temporarily block trouble addresses is
> probably a better solution if you want to go down that path, though.
>
> 2c
>
>
>
> T.
>
> On 20/05/14 3:45 PM, Joseph Goldman wrote:
>> Funnily enough, I am preparing some routers for production and
>> configuring firewalls for this very reason, so have recently found a
>> list ready for ICMP blocking:
>>
>> add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
>> comment="echo reply"
>> add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
>> comment="net unreachable"
>> add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
>> comment="host unreachable"
>> add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
>> comment="host unreachable fragmentation required"
>> add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
>> comment="allow source quench"
>> add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
>> comment="allow echo request"
>> add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
>> comment="allow time exceed"
>> add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
>> comment="allow parameter bad"
>> add chain=icmp action=drop comment="deny all other types"
>>
>>
>> This is for RouterOS, gives 8 different types (and description) of ICMP
>> that you should allow then block the rest. Adjust for your own operating
>> system.
>>
>> Thanks,
>> Joe
>>
>> On 20/05/14 14:03, Colin Stubbs wrote:
>>> ICMP is more than just echo requests and replies or "ping" as so many
>>> think of it.
>>>
>>> If you're dropping unreachables and time exceeded error messages odds
>>> are your network won't work at all, or the apps on top will perform
>>> badly while experiencing intermittent problems.
>>>
>>> With respect to "ping" I would deny echo request from untrusted zones
>>> to anywhere, deny echo reply to untrusted from anywhere, but allow
>>> echo request from trusted to anywhere with echo reply from anywhere to
>>> trusted.
>>>
>>> You could do something similar with ICMP traceroute if you want to.
>>> UDP/TCP traceroute must be permitted by firewalls along with letting
>>> the ICMP TTL exceeded and unreachables pass unhindered.
>>>
>>> Make sure you understand ICMP types and sub types before you go trying
>>> to enforce any policy changes.
>>>
>>> http://en.m.wikipedia.org/wiki/Internet_Control_Message_Protocol
>>>
>>> Policy based on geographical source, e.g. "i don't trust China and
>>> have no need to communicate with Russia" is increasingly common in
>>> enterprise... Not exactly feasible in service provider land.
>>>
>>> Sent from a mobile device. Correct spelling and accurate use of
>>> grammar is unlikely to have occurred.
>>>
>>> On 20/05/2014 1:37 pm, "Alex Samad - Yieldbroker"
>>> <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
>>>
>>> Hi
>>>
>>> Wondering what people do around
>>> 1) letting through icmp
>>>
>>> I like the idea of allowing icmp through, make network diagnosis a
>>> lot easier, but I don't want to be bomb.
>>> What sort of rate limiting do people think is acceptable?
>>> What's acceptable from client to confirm connectivity?
>>>
>>>
>>> 2) blacklisting ip's
>>>
>>> So I have (like a lot of others), people port scanning look for
>>> open ports, what sort of levels do people actually do something
>>> about it ?
>>>
>>> I asking as an end user, but I am also curious to know what
>>> providers do.
>>>
>>> I have heard of companies blocking entire ranges, for example say
>>> china and/or Russia as they have no clients there. Do people do
>>> that, do ISP provide that service (can that be done through the
>>> auto black hole mechanism ?)
>>>
>>>
>>> Alex
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
> PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
More information about the AusNOG
mailing list