Date: Sun, 25 Feb 1996 17:18:39 -0500 (EST) From: ewb@zygaena.com To: freebsd-security@freebsd.org Subject: Re: Alert: UDP Port Denial-of-Service Attack (fwd) Message-ID: <199602252218.RAA00532@lochsa.i.com>
next in thread | raw e-mail | index | archive | help
>> UDP is, at present, the only thing impacted. It only takes one rogue >> packet to set them jabbering at each other (which is one reason we >> don't allow any IP packets with "src" of one of our netblock through >> our firewall). > >Of course, that doesn't help you if the forged source is on someone >else's network... Depends on whether you have a packet filter or firewall that blocks these "services" - or UDP in general except perhaps for 53. All depends on your stance. Mr. Wollman at MIT has to be concerned since his academic network is probably pretty open. Most ISP's could block these UDP services into (and out of) their local LANS, but a disgruntled user could still cause problems.. But of course the problem is nicely solved within inetd (as has been pointed out I believe): from FreeBSD inetd(8): All of these services are available in both TCP and UDP versions; the UDP versions will refuse service if the request specifies a reply port corresponding to any internal service. (This is done as a defense against looping attacks; If we have Mr. Wollman to thank for this - Bravo! Solaris 2.4 and SunOS 4.1.4 DO NOT have this note in the inetd man pages - and thus I presume they are vulnerable. Don't know about other un*xen. -- Will Brown ewb@zygaena.com Zygaena Network Services http://www.zygaena.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199602252218.RAA00532>