Jeffrey J. Nonken on Fri, 26 Sep 2003 19:33:04 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Firewall Check


On Wed, 24 Sep 2003 13:13:52 -0400, Paul wrote:
>I'm far from confused about IPv4 networking.  I'm only mildly
>concerned
>about ICMP because all other protocols have been filtered already.  I
>like the idea of ignoring "icmp_echo_ignore_broadcasts".  I just
>want my
>system to respond to legitimate pings from the Internet without being
>overly permissive to ICMP communications.

I've been the happy (!) recipient of a ping flood. One of my gaming acquaintences started sending pings as fast as he could to my address. Since he had more uplink bandwidth than I did, he was able to pretty much shut me down all day. (I was at work when it happened and didn't really figure out what was happening until I got home.)

The problem went away when I blocked pings, which required some kludging on my then-Windoze firewall. Long story, but in any case, when I confronted him about it, he claimed he'd been hijacked and acted quite indignant at being used. I of course don't believe a word of it.

There are also gaming clans that are suspected of performing ping floods on their opponents' systems during matches. Nobody has gathered enough evidence to take any action, but it IS rather suspicious to have your connection suddenly degrade when you've had no problems all week. Especially when it happens selectively to your best players.

After my ping flood I noticed a period where my connection was quite variable; I'd be online playing Quake, and everything would be fine, and then I'd suddenly get massive packet loss for several minutes. Then it would go away and everything would be fine for a while. I only noticed this in gameplay. Of course, in most other applications it would be less critical -- email isn't real-time, and some packet loss on your web browsing might not be noticed (delays are par for the course, and lost packets would presumably be re-sent). But again, it seemed somewhat selective, and having a fixed IP address and not being able to maintain my kludge, I was vulnerable.

Since then several things have happened.

One, Verizon changed my service. I now have a dynamic IP address. I've managed to work around it for things I needed, but the point is that I'm now a moving target.

The packet loss problem stopped immediately.

Of course, I'm now going through different parts of the Verizon network, so there's no reason that it couldn't be a problem at Verizon's end that simply got bypassed once they switched me over to PPPoE. But I'm still suspicious. Not all those gamers are entirely ethical, and a lot of 'em like to stir up trouble just for fun.

Two, I now have a Smoothwall firewall. That poor Windoze box just couldn't handle the transition. So I should be less vulnerable to several kinds of attack, and I should be more able to see problems in the logs.

Three, I've altered the firewall configuration slightly -- it should be rejecting ping requests now.

Four, I took an extra precaution to make myself less easy to find. If you look me up on irc.enterthegame.com and do a /whois on me, you'll get jnork@eXploited.on.EnterTheGame.Com, which is a virtual host service provided by the IRC server. You can still find me, but you won't get anything useful with a /whois.

-----
Jeffrey J. Nonken
http://jnork.nonken.net/


_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug