From owner-freebsd-security  Sat May 30 16:06:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA21071
          for freebsd-security-outgoing; Sat, 30 May 1998 16:06:59 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns2.sminter.com.ar (ns2.sminter.com.ar [200.10.100.11])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20046
          for <freebsd-security@FreeBSD.ORG>; Sat, 30 May 1998 15:59:58 -0700 (PDT)
          (envelope-from Recabarren!fpscha@ns2.sminter.com.ar)
Received: (from uucp@localhost)
          by ns2.sminter.com.ar (8.8.5/8.8.4)
	  id TAA28256 for FreeBSD.ORG!freebsd-security; Sat, 30 May 1998 19:58:22 -0300 (GMT)
>Received: (from fpscha@localhost)
	by localhost.schapachnik.com.ar (8.8.5/8.8.5) id JAA00209;
	Sat, 30 May 1998 09:31:47 -0300 (ARST)
From: "Fernando P. Schapachnik" <fpscha@localhost.schapachnik.com.ar>
Message-Id: <199805301231.JAA00209@localhost.schapachnik.com.ar>
Subject: Re: Possible DoS opportunity via ping implementation error?
To: dg@root.com
Date: Sat, 30 May 1998 09:31:46 -0300 (ARST)
Cc: andrew@squiz.co.nz, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG
In-Reply-To: <199805272358.QAA10311@implode.root.com> from David Greenman at "May 27, 98 04:58:31 pm"
Reply-To: fpscha@schapachnik.com.ar
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=ISO-8859-1
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

En un mensaje anterior David Greenman escribi˘:
> >
> >I'd like to know which.
> ...
> >>FreeBSD, Inc.
> >>=============
> >>In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp
> >>echo requests destined to broadcast and multicast addresses by default. This
> >>behaviour can be changed via the sysctl command via
> >>mib net.inet.icmp.bmcastecho.
> 
>    The CERT advisory is wrong. FreeBSD has always responded to broadcast ICMP 
> echo requests by default. Further, the option mentioned to disable them was
> broken in 2.2.x and -current until just yesterday.

Anyway, as a piece of advice, the best thing you can do is to configure 
your router interfaces' to disallow broadcasts. This is done via the 'no ip 
directed broadcast' command on the serial interfaces, on CISCO routers.
Of course, this is not a final solution, but is very practical if you can 
"trust" your LAN, as is mostly the case.

Regards!




Fernando P. Schapachnik
fpscha@schapachnik.com.ar


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message