|
||||||||
Its not a DoS...Its from those folks (Windows users) who still are infected with either the Welchia virus (or related) and still don't have a clue about it. (This is typically a significant amount of users who are security illiterate...They weren't taught about basic network security...And in all likelyhood have not patched their systems or updated their AV solution.) You can't really stop it, but to act defensive. Do what Chet Harvey said, don't log it and drop it. This is what ICMP is really used for... http://www.freesoft.org/CIE/Topics/81.htm But of course, you can add "for virus spreading". (Thanks to Welchia and similar)... If you suffer from DoS or DDoS, you'll see that your connection will be really really slow. (some firewalls are overwhelmed and just freeze up, requiring a manual reset.) ----- Original Message ----- From: "Matt McGuire" <mmcguire at o1 dot com> To: <m0n0wall at lists dot m0n0 dot ch> Sent: Sunday, May 23, 2004 4:13 AM Subject: [m0n0wall] Stopping DoS attacks > At times I am getting a lot of activity in the firewall logs. I assume > this is a Dos attack with icmp? Am I correct? Also what is the best > way to stop this from happening? I do not let this traffic through, > however the load on the firewall becomes so high that WAN access is > slowed to a crawl. Below is one of many identical entries. > > 11:06:03.544257 sis1 @0:19 b 63.163.92.73 -> 0.0.0.0 PR icmp len 20 56 > icmp timxceed/transit for 0.0.0.0 - 63.163.92.1 PR icmp len 20 56 icmp > 3/2 IN > > Thanks, > Matthew > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > __________ NOD32 1.770 (20040521) Information __________ > > This message was checked by NOD32 Antivirus System. > part000.txt - is OK > > http://www.nod32.com > > |