Date: Wed, 16 Apr 2003 13:12:10 -0700 From: "Kevin Oberman" <oberman@es.net> To: Larry Rosenman <ler@lerctr.org> Cc: John Polstra <jdp@polstra.com> Subject: Re: "broadcast ping" message Message-ID: <20030416201210.595235D04@ptavv.es.net> In-Reply-To: Message from Larry Rosenman <ler@lerctr.org> <346670000.1050520099@lerlaptop.iadfw.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Wed, 16 Apr 2003 14:08:19 -0500 > From: Larry Rosenman <ler@lerctr.org> > Sender: owner-freebsd-mobile@freebsd.org > > > > --On Wednesday, April 16, 2003 12:05:41 -0700 Jamie Bowden > <ragnar@sysabend.org> wrote: > > > On Wed, 16 Apr 2003, John Polstra wrote: > > > >> Oh, drop it! Security fixes don't wait on standards. You've got a > >> knob to make it do what you want -- so use it. Please stop the > >> whining or at least remove me from the cc list. > > > > Since when is DOS a security issue? My issue is default behaviour > > violating both POLA and RFC. You've got a knob to turn it off if it bugs > > you. > For clueless newbies that cause an ISP to be blacklisted, it sure as HECK > **IS** a security > issue. Larry, You are not arguing the issue at hand and many people are not sufficiently involved with Internet routing to realize that this is not relevant. To put it simply, if you have a router that FORWARDS broadcast pings, you will very quickly become blue smurf toast. This is not an option or matter of discretion and Cisco was massively abused for the old default. No other router vendor forwards broadcast pings by default, either. But the issue was not that of forwarding broadcast pings. The issue is a system responding to a broadcast ping. Almost all systems do and all should (IMHO). This is NOT a security issue. It's not even a denial of service issue unless you have a very large broadcast domain and potentially hostile, non-routed access to it. I have never seen any proposal to change the "normal" behavior of responding to broadcast pings as a proposed standard or BCP. Of course, if a FreeBSD box is used as a router, it should not forward directed broadcasts. (But that does not mean that it should not respond to them.) R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030416201210.595235D04>