From owner-freebsd-security Mon Feb 19 14:27:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from lark.capnet.state.tx.us (lark.capnet.state.tx.us [204.65.39.249]) by hub.freebsd.org (Postfix) with ESMTP id E53F137B503 for ; Mon, 19 Feb 2001 14:27:08 -0800 (PST) Received: from localhost (bbradsby@localhost) by lark.capnet.state.tx.us (8.11.1/8.10.0-NO UCE) with ESMTP id f1JMQRA11958; Mon, 19 Feb 2001 16:26:28 -0600 (CST) Date: Mon, 19 Feb 2001 16:26:27 -0600 (CST) From: Bryan Bradsby To: Thomas Cannon Cc: Andy Kim , Subject: Re: ICMP floods In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org One of our Certified NT techs installed a personal firewall at home that was reporting an ICMP "DOS flood" from one of our DNS servers. So he sent an e-mail to my boss saying he was sure the server was hacked including 10 Megabytes of bitmaps to "prove" it. I checked the logs and saw 9 packets per second from his box from port 137 to port 137 on the FreeBSD DNS server. Of course the FreeBSD server was sending back ICMP port unreach, just as it should, for each of these Netbios queries. It seems to me these personal firewalls are (by default) set too sensitive and lump together dangerous and innocuous packet types, resulting in the customer being very surprised to see all those "people hacking my computer". The vendor looks "good" because their product reports "attacks", the customer feels comfortable that "he is now protected", and legitimate infrastructure operators repeatedly explain to very skeptical consumers that one ICMP echo return (per day) is not an attack on their computer. -bryan bradsby ================================ On Mon, 19 Feb 2001, Thomas Cannon wrote: > > * Andy Kim [010219 13:18] wrote: > > > Some of the servers have been getting hit several times with ICMP > > > floods from our FreeBSD server and we can't figure out why. They > > > believe that someone had hacked in and put a trojan on our box. > > > Is there any way of finding out what's going on and more importantly, > > > how to fix the problem? Any help would be greatly appreciated as > > > I am rather new to FreeBSD. > > Hi Andy. > > What is being used to detect these ICMP floods? What version of FreeBSD do > you have? Also, do you see anything in the FBSD machine's logs about icmp > source-quench or bandwidth-limit icmp packets being issued? > > It's possible that the machine is broken, yes, but it's also possible that > the measuring device is broken, or that something is misconfigured, or god > only knows what. > > Cheers, > > tcannon > > > Richard Feynman was a hacker; read any of his books. > -Bruce Schneier > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message