From owner-freebsd-security Wed May 27 00:53:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA26147 for freebsd-security-outgoing; Wed, 27 May 1998 00:53:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kremvax.demos.su (kremvax.demos.su [194.87.0.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA26050 for ; Wed, 27 May 1998 00:52:38 -0700 (PDT) (envelope-from sinbin.demos.su!bag@kremvax.demos.su) Received: by kremvax.demos.su (8.6.13/D) from 0@sinbin.demos.su [194.87.5.31] with ESMTP id LAA21116; Wed, 27 May 1998 11:48:49 +0400 Received: by sinbin.demos.su id LAA23285; (8.6.12/D) Wed, 27 May 1998 11:48:19 +0400 From: bag@sinbin.demos.su (Alex G. Bulushev) Message-Id: <199805270748.LAA23285@sinbin.demos.su> Subject: Re: Possible DoS opportunity via ping implementation error? In-Reply-To: from "Andrew McNaughton" at "May 27, 98 05:37:46 pm" X-ELM-OSV: (Our standard violations) no-mime=1; no-hdr-encoding=1 To: andrew@squiz.co.nz (Andrew McNaughton) Date: Wed, 27 May 1998 11:48:19 +0400 (MSD) Cc: sysadmin@mfn.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > At 3:05 PM 27/5/98, J.A. Terranson wrote: > >I had a very interesting day today! I found out that FBSD (2.2.5R) > >machines will > >always respond to a broadcasted echo request. For example: > > This contradicts the CERT Advisory below which states that FreeBSD does not > have the problem. > > Either the CERT report is wrong, a problem has been introduced since, or > it's specific to the way you've set up your boxes. CERT report is wrong i check -current (Apr 23) and found that it respond to broadcast ping, default net.inet.icmp.bmcastecho=1, but it alsow respond to broadcast after sysctl -w net.inet.icmp.bmcastecho=0 the good news is that in both case it not respond from aliases :) Alex. > > I'd like to know which. > > > > > > >============================================================================= > >CERT* Advisory CA-98.01.smurf > >Original issue date: Jan. 05, 1998 > >Last revised: -- > > > >Topic: "smurf" IP Denial-of-Service Attacks > >- ----------------------------------------------------------------------------- > > > >This advisory is intended primarily for network administrators responsible for > >router configuration and maintenance. > > > >The attack described in this advisory is different from the denial-of-service > >attacks described in CERT advisory CA-97.28. > > > >The CERT Coordination Center has received reports from network service > >providers (NSPs), Internet service providers (ISPs), and other sites of > >continuing denial-of-service attacks involving forged ICMP echo request > >packets (commonly known as "ping" packets) sent to IP broadcast > >addresses. These attacks can result in large amounts of ICMP echo reply > >packets being sent from an intermediary site to a victim, which can cause > >network congestion or outages. These attacks have been referred to as "smurf" > >attacks because the name of one of the exploit programs attackers use to > >execute this attack is called "smurf." > > > >FreeBSD, Inc. > >============= > >In FreeBSD 2.2.5 and up, the tcp/ip stack does not respond to icmp > >echo requests destined to broadcast and multicast addresses by default. This > >behaviour can be changed via the sysctl command via > >mib net.inet.icmp.bmcastecho. > > > > ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > Andrew McNaughton = > ++64 4 389 6891 Any sufficiently advanced = > andrew@squiz.co.nz bug is indistinguishable = > http://www.newsroom.co from a feature. = > -- Rich Kulawiec = > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message