From owner-freebsd-security  Wed May 27 16:59:33 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA09121
          for freebsd-security-outgoing; Wed, 27 May 1998 16:59:33 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from implode.root.com (implode.root.com [198.145.90.17])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09004
          for <freebsd-security@FreeBSD.ORG>; Wed, 27 May 1998 16:58:47 -0700 (PDT)
          (envelope-from root@implode.root.com)
Received: from implode.root.com (localhost [127.0.0.1])
	by implode.root.com (8.8.5/8.8.5) with ESMTP id QAA10311;
	Wed, 27 May 1998 16:58:31 -0700 (PDT)
Message-Id: <199805272358.QAA10311@implode.root.com>
To: andrew@squiz.co.nz (Andrew McNaughton)
cc: "J.A. Terranson" <sysadmin@mfn.org>,
        "'FreeBSD Security'" <freebsd-security@FreeBSD.ORG>
Subject: Re: Possible DoS opportunity via ping implementation error? 
In-reply-to: Your message of "Wed, 27 May 1998 17:37:46 +1200."
             <v02120d01b191523ade7a@[192.168.1.2]> 
From: David Greenman <dg@root.com>
Reply-To: dg@root.com
Date: Wed, 27 May 1998 16:58:31 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

>At 3:05 PM 27/5/98, J.A. Terranson wrote:
>>I had a very interesting day today!  I found out that FBSD (2.2.5R)
>>machines will
>>always respond to a broadcasted echo request.  For example:
>
>This contradicts the CERT Advisory below which states that FreeBSD does not
>have the problem.
>
>Either the CERT report is wrong, a problem has been introduced since, or
>it's specific to the way you've set up your boxes.
>
>I'd like to know which.
...
>>FreeBSD, Inc.
>>=============
>>In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp
>>echo requests destined to broadcast and multicast addresses by default. This
>>behaviour can be changed via the sysctl command via
>>mib net.inet.icmp.bmcastecho.

   The CERT advisory is wrong. FreeBSD has always responded to broadcast ICMP 
echo requests by default. Further, the option mentioned to disable them was
broken in 2.2.x and -current until just yesterday.

-DG

David Greenman
Co-founder/Principal Architect, The FreeBSD Project

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message