Wow, I was glad to see that all these wonderful folks are reading the router requirements (RFC-1812, June 1995). Good, good. What I'd like to understand is how smurf attacks can work, even with directed broadcast on? Isn't there a requirement (RFC-1122) from ages past (October 1989) that ICMP not respond to broadcast or multicast [page 38 et seq]? What pressure is being put on host vendors? Which host vendors are the problem? WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Sat, 14 Feb 1998, William Allen Simpson wrote: ==>Wow, I was glad to see that all these wonderful folks are reading the ==>router requirements (RFC-1812, June 1995). Good, good. ==> ==>What I'd like to understand is how smurf attacks can work, even with ==>directed broadcast on? Isn't there a requirement (RFC-1122) from ages ==>past (October 1989) that ICMP not respond to broadcast or multicast ==>[page 38 et seq]? Nope. RFC 1122[1] says (also in my paper =): --- An ICMP Echo Request destined to an IP broadcast or IP multicast address MAY be silently discarded. DISCUSSION: This neutral provision results from a passionate debate between those who feel that ICMP Echo to a broadcast address provides a valuable diagnostic capability and those who feel that misuse of this feature can too easily create packet storms. --- Most stack implementors have chosen to respond to it because of its troubleshooting value; then again, the date of the RFC shows why many folks would tend to believe the threat of the attack wouldn't be very large. /cah [1] RFC-1122, "Requirements for Internet Hosts - Communication Layers"; R.T. Braden; October 1989.
On Sat, 14 Feb 1998, William Allen Simpson wrote: Forgot to address the second part of the post... ==>What pressure is being put on host vendors? Well, I don't know that there is much. Host vendors are saying this is a network problem, and they're well within the RFC. Personally, I think broadcast pings are a great troubleshooting tool; but like any good tool, someone's found a way to cause mass destruction with it. ==>Which host vendors are the problem? How about I supply some information about the hosts I do know about: IBM has provided a setting in AIX 4.x to disable responses to broadcast addresses. It is not available in AIX 3.x. Use the "no" command to turn it off or on. NOTE: On AIX 4.x responses are DISABLED by default. no -o bcastping=0 # disable bcast ping responses (default) Solaris can be set not to respond to ICMP echo requests. Add the following line to your /etc/rc2.d/S69inet startup: ndd -set /dev/ip ip_respond_to_echo_broadcast 0 Starting with version 2.2.5, FreeBSD's IP stack does not respond to icmp echo requests destined to broadcast and multicast addresses by default. The sysctl parameter for this functionality is net.inet.icmp.bmcastecho. Under NetBSD, directed broadcasts can be disabled by using the sysctl command: sysctl -w net.inet.ip.directed-broadcast=0 Under Linux, one can use the CONFIG_IP_IGNORE_ECHO_REQUESTS variable to completely ignore ICMP echo requests. Of course, this violates RFC 1122. "ipfw" can be used from Linux to block broadcast echos, a la: Any system with ipfw can be protected by adding rules such as: ipfwadm -I -a deny -P icmp -D 123.123.123.0 -S 0/0 0 8 ipfwadm -I -a deny -P icmp -D 123.123.123.255 -S 0/0 0 8 (replace 123.123.123.0 and 123.123.123.255 with your base network number and broadcast address, respectively) /cah
participants (2)
-
Craig A. Huegen -
William Allen Simpson