From owner-freebsd-security Mon Feb 26 13:30:51 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA18491 for security-outgoing; Mon, 26 Feb 1996 13:30:51 -0800 (PST) Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id NAA18481 for ; Mon, 26 Feb 1996 13:30:45 -0800 (PST) Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM) id AA24901; Mon, 26 Feb 1996 16:30:42 -0500 Date: Mon, 26 Feb 1996 16:30:42 -0500 From: "Garrett A. Wollman" Message-Id: <9602262130.AA24901@halloran-eldar.lcs.mit.edu> To: Nathan Lawson Cc: security@freebsd.org Subject: Re: Alert: UDP Port Denial-of-Service Attack (fwd) In-Reply-To: <199602262110.NAA13050@kdat.calpoly.edu> References: <9602251821.AA15742@halloran-eldar.lcs.mit.edu> <199602262110.NAA13050@kdat.calpoly.edu> Sender: owner-security@freebsd.org Precedence: bulk < said: > Another attack that would possibly work is that you could send a packet to > the daytime port from the broadcast address. I believe that most modern > systems (including FreeBSD) will need the socket to have SO_BROADCAST set > so this most likely won't succeed. Actually, substitute `all-hosts multicast' for `broadcast' and `to and from' for `from', and you've got the original scenario which caused me to shudder for a minute and then write this code. Can you say `broadcast storm'? I knew you could... :-( > Be kind to your neighbors. Block outgoing spoofed source addresses as well > as incoming. That doesn't help us, where most of the trouble comes from cracked machines on our own networks... -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant