Date: Mon, 14 Sep 1998 01:59:24 -0700 (PDT) From: Liam Slusser <liam@tiora.net> To: security@FreeBSD.ORG Subject: smurf and broadcast packets.. Message-ID: <Pine.BSF.3.96.980914013859.545A-100000@orbital.tiora.net>
next in thread | raw e-mail | index | archive | help
Today my server was bombed by a smurf attack. After i got everthing up and running again, i went out and tried to figure out how to stop it from happening again. I found a CERT advisory ("smurf" IP Denial-of-Service Attacks) (CA-98.01.smurf) and read up on it. From what i understand, it is a ping on *.*.*.255..which gets multiplied. I tried ping my network (24.0.185.255) and my server replied. So i did a little more looking, and found a post, http://www.geek-girl.com/bugtraq/1998_2/0421.html (explains FreeBSD smurf vulnerability) on the problem. I installed the patch which invalved editing ip_icmp.c in the kernel source...then i came back up...i tried again...but i could still ping 24.0.185.255 and get a reply. >From there, i checked sysctl "net.inet.icmp.bmcastecho" and noticed it was set at 1. I changed it to 0, and from there...i ran into a wierd problem. My server has two network cards in it, ed0 (internet side, 24.0.185.89) and ed1 (internal network, 10.0.0.1), and runs natd. When i turned net.inet.icmp.bmcastecho to 0..i could not ping 10.0.0.255 but i could ping my internet side 24.0.189.255. ping 10.0.0.255 PING 10.0.0.255 (10.0.0.255): 56 data bytes --- 10.0.0.255 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss ping 24.0.185.255 PING 24.0.185.255 (24.0.185.255): 56 data bytes 64 bytes from 24.0.185.89: icmp_seq=0 ttl=255 time=0.857 ms 64 bytes from 24.0.185.89: icmp_seq=1 ttl=255 time=0.692 ms --- 24.0.185.255 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss With "net.inet.icmp.bmcastecho" set at 1, i could ping 10.0.0.255 and get a reply..but not at 0. I do have ipfw installed..the rules as follows: ipfw list 00100 divert 6668 ip from any to any via ed0 00200 allow ip from any to any 65535 deny ip from any to any By the way, my server is running... uname -a FreeBSD orbital.tiora.net 3.0-971225-SNAP FreeBSD 3.0-971225-SNAP #0: Mon Sep 14 00:59:08 PDT 1998 liam@orbital.tiora.net:/usr/src/sys/compile/orbital i386 What am i doing wrong? What can i do to stop my server from being the victom of another smurf attack? thanks for the help! liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980914013859.545A-100000>