Date: Mon, 14 Sep 1998 01:59:24 -0700 (PDT) From: Liam Slusser <liam@tiora.net> To: security@FreeBSD.ORG Subject: smurf and broadcast packets.. Message-ID: <Pine.BSF.3.96.980914013859.545A-100000@orbital.tiora.net>
next in thread | raw e-mail | index | archive | help
Today my server was bombed by a smurf attack. After i got everthing up
and running again, i went out and tried to figure out how to stop it from
happening again. I found a CERT advisory ("smurf" IP Denial-of-Service
Attacks) (CA-98.01.smurf) and read up on it. From what i understand, it
is a ping on *.*.*.255..which gets multiplied. I tried ping my network
(24.0.185.255) and my server replied. So i did a little more looking, and
found a post, http://www.geek-girl.com/bugtraq/1998_2/0421.html (explains
FreeBSD smurf vulnerability) on the problem. I installed the patch which
invalved editing ip_icmp.c in the kernel source...then i came back up...i
tried again...but i could still ping 24.0.185.255 and get a reply.
>From there, i checked sysctl "net.inet.icmp.bmcastecho" and noticed it was
set at 1. I changed it to 0, and from there...i ran into a wierd
problem. My server has two network cards in it, ed0 (internet side,
24.0.185.89) and ed1 (internal network, 10.0.0.1), and runs natd. When i
turned net.inet.icmp.bmcastecho to 0..i could not ping 10.0.0.255 but i
could ping my internet side 24.0.189.255.
ping 10.0.0.255
PING 10.0.0.255 (10.0.0.255): 56 data bytes
--- 10.0.0.255 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
ping 24.0.185.255
PING 24.0.185.255 (24.0.185.255): 56 data bytes
64 bytes from 24.0.185.89: icmp_seq=0 ttl=255 time=0.857 ms
64 bytes from 24.0.185.89: icmp_seq=1 ttl=255 time=0.692 ms
--- 24.0.185.255 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
With "net.inet.icmp.bmcastecho" set at 1, i could ping 10.0.0.255 and get
a reply..but not at 0. I do have ipfw installed..the rules as follows:
ipfw list
00100 divert 6668 ip from any to any via ed0
00200 allow ip from any to any
65535 deny ip from any to any
By the way, my server is running...
uname -a
FreeBSD orbital.tiora.net 3.0-971225-SNAP FreeBSD 3.0-971225-SNAP #0: Mon
Sep 14 00:59:08 PDT 1998
liam@orbital.tiora.net:/usr/src/sys/compile/orbital i386
What am i doing wrong? What can i do to stop my server from being the
victom of another smurf attack?
thanks for the help!
liam
System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage
www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address
Lowered turbo powered Honda Civic's are really cool. <---------- my quote
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980914013859.545A-100000>