From owner-freebsd-security Tue May 26 22:36:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA01098 for freebsd-security-outgoing; Tue, 26 May 1998 22:36:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.actrix.gen.nz (root@mail.actrix.gen.nz [203.96.16.37]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA00984 for ; Tue, 26 May 1998 22:35:48 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from [192.168.1.2] (aniwa.actrix.gen.nz [203.96.56.186]) by mail.actrix.gen.nz (8.8.8/8.8.5) with SMTP id RAA22620; Wed, 27 May 1998 17:35:12 +1200 (NZST) X-Sender: andrew@192.168.1.1 Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 27 May 1998 17:37:46 +1200 To: "J.A. Terranson" , "'FreeBSD Security'" From: andrew@squiz.co.nz (Andrew McNaughton) Subject: Re: Possible DoS opportunity via ping implementation error? Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk At 3:05 PM 27/5/98, J.A. Terranson wrote: >I had a very interesting day today! I found out that FBSD (2.2.5R) >machines will >always respond to a broadcasted echo request. For example: This contradicts the CERT Advisory below which states that FreeBSD does not have the problem. Either the CERT report is wrong, a problem has been introduced since, or it's specific to the way you've set up your boxes. I'd like to know which. >============================================================================= >CERT* Advisory CA-98.01.smurf >Original issue date: Jan. 05, 1998 >Last revised: -- > >Topic: "smurf" IP Denial-of-Service Attacks >- ----------------------------------------------------------------------------- > >This advisory is intended primarily for network administrators responsible for >router configuration and maintenance. > >The attack described in this advisory is different from the denial-of-service >attacks described in CERT advisory CA-97.28. > >The CERT Coordination Center has received reports from network service >providers (NSPs), Internet service providers (ISPs), and other sites of >continuing denial-of-service attacks involving forged ICMP echo request >packets (commonly known as "ping" packets) sent to IP broadcast >addresses. These attacks can result in large amounts of ICMP echo reply >packets being sent from an intermediary site to a victim, which can cause >network congestion or outages. These attacks have been referred to as "smurf" >attacks because the name of one of the exploit programs attackers use to >execute this attack is called "smurf." >FreeBSD, Inc. >============= >In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp >echo requests destined to broadcast and multicast addresses by default. This >behaviour can be changed via the sysctl command via >mib net.inet.icmp.bmcastecho. > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Andrew McNaughton = ++64 4 389 6891 Any sufficiently advanced = andrew@squiz.co.nz bug is indistinguishable = http://www.newsroom.co from a feature. = -- Rich Kulawiec = To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message