RHEL6–43–
IP TABLES IN LINUX-P5
IP Tables digging deeper,
Other Posts under IPTABLES series,
PING
OF DEATH:
What
is ping of death?
[root@rhel6-client1 ~]# ping -f -s 65500 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 65500(65528) bytes of data.
.^C
---
192.168.135.142 ping statistics ---
46916
packets transmitted, 46915 received, 0% packet loss, time 249276ms
rtt
min/avg/max/mdev = 1.515/5.164/44.228/1.083 ms, pipe 3, ipg/ewma 5.313/5.359 ms
This
is ping of death,
-f
flood
-s
packet size
From
O/P we can see that its enough to choke entire bandwidth within no time. Target
systems whole resource will busy in replying ICMP packets with same incoming
packet size and in no time the resources will start exhausting.
HOW TO STOP PING OF DEATH/DoS:
#iptables -A INPUT -i eth0 -p icmp -m limit --limit 1/s -j ACCEPT
New
matching criteria here is limit. By which we are limiting icmp packets to 1
packet/ second.
Is
this able to fulfill the purpose?
NO……. But Why?
Here
we are limiting 1 packet per second, so it will just check for 1 pkt/sec. it
doesn’t bother for packet size.
Then what?
[root@rhel6-server ~]# iptables -L --line-numbers
15
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5
[root@rhel6-server ~]# iptables -D INPUT 15
[root@rhel6-server ~]# iptables -A INPUT -i eth0 -p icmp -j REJECT
This
rule is very harsh, it will stop all ping
Then what?
Finally,
we will use matching criteria “length”
# iptables -A OUTPUT -p icmp -m length --length 1:100 -j ACCEPT
# iptables -A OUTPUT -p icmp -m length --length 1:100 -j ACCEPT
Allowing
packet length from 1 to 100 and then drop all,
[root@rhel6-server ~]# iptables -A INPUT -p icmp -j DROP
GREAT…
now I am able to ping with under limit packet size.
[root@rhel6-client1 ~]# ping -s 32 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 32(60) bytes of data.
40
bytes from 192.168.135.142: icmp_seq=1 ttl=64 time=0.311 ms
40
bytes from 192.168.135.142: icmp_seq=2 ttl=64 time=0.377 ms
^C
[root@rhel6-client1 ~]# ping -s 72 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 72(100) bytes of data.
80
bytes from 192.168.135.142: icmp_seq=1 ttl=64 time=0.226 ms
80
bytes from 192.168.135.142: icmp_seq=2 ttl=64 time=0.387 ms
^C
[root@rhel6-client1 ~]# ping -s 73 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 73(101) bytes of data.
^C
---
192.168.135.142 ping statistics ---
3
packets transmitted, 0 received, 100% packet loss, time 2536ms
[root@rhel6-client1 ~]# ping -s 96 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 96(124) bytes of data.
^C
OK, I am able to ping till
packet size 72, but I had given range from 1-100, let’s check again by changing
limit from 1 to 200.
# iptables -A OUTPUT -p icmp -m length --length 1:200 -j ACCEPT
# iptables -A INPUT -p icmp -m length --length 1:200 -j ACCEPT
[root@rhel6-client1 ~]# ping -s 96 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 96(124) bytes of data.
104
bytes from 192.168.135.142: icmp_seq=1 ttl=64 time=0.281 ms
104
bytes from 192.168.135.142: icmp_seq=2 ttl=64 time=0.406 ms
^C
[root@rhel6-client1 ~]# ping -s 172 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 172(200) bytes of data.
180
bytes from 192.168.135.142: icmp_seq=1 ttl=64 time=0.294 ms
180
bytes from 192.168.135.142: icmp_seq=2 ttl=64 time=0.439 ms
^C
[root@rhel6-client1 ~]# ping -s 173 192.168.135.142
PING
192.168.135.142 (192.168.135.142) 173(201) bytes of data.
^C
BUT WHY?
Here
I am trying with packet length 172 and result is successful and when I try with
pkt length 173 its unsuccessful. Reason behind this is TCP packet size, TCP
adds a header of 20 bytes or more to its packet, so whenever we try to ping
with any pkt size it adds 20 bytes or more to that pkt. If the whole size
exceeds 200 bytes, it is dropped otherwise passwd as per rule defined in
iptables.
No comments:
Post a Comment