Posts Tagged ‘Flood Denial of Service’

How to disable ICMP ping protocol on Linux router with iptables to protect against ping Flood Denial of Service

Monday, October 14th, 2013

how to disable ping icmp protocol on linux server - how to drop incoming ping floods
Its useful to disable ICMP reply sometimes on Linux, especially if you have to deal with abusive script kiddies trying to DoS your host using ICMP Ping flood. Though ICMP Ping Flood is no longer so used as it used to be in past still there are some malicious users trying to use it to revenge a company for being mis-treated or simply because someone paid them to do financial loss to a company through DDoS-ing there internet portal or whatever …

From position of system administrator implementing a tiny one liner iptables rule protects severely against basic ICMP Ping Flood, the rule will not be hard to pass by experienced attacker but still will stop a lot of shit ICMP traffic:

Here is rule:

fw-server:~# iptables -I INPUT -j DROP -p icmp --icmp-type echo-request

Sometimes its necessary Filter IPs of certain hosts trying to DoS you to do so:

fw-server:~# iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP -p icmp --icmp-type echo-request

To disable ICMP ping requests on IPv6 protocol:

fw-server:~#ip6tables -I INPUT -p icmpv6 --icmp-type 8 -j DROP Note that above firewall rule does not drop all ICMP requests (as there are ICMP requests) necessary for standard TCP/IP or UDP applications to properly operate, but it DROPs packets of ICMP type (echo request).

If later its necessary to temporary enable ping on server quickest way is to FLUSH all INPUT chain temporary, i.e.:

fw-server:~# iptables -F INPUT

Whether necessary to just delete the PING echo-request DROP rule one can also use:

fw-server:~# iptables --list

and

fw-server:~# iptables -D INPUT 10

Here 10 number is the number of line number where DROP icmp rule is showing.

Well that's it now your server will be a bit more secure 😉 Enjoy