RE: icmp: echo reply? Am I being attacked?

Thu, 27 Jul 2000 07:39:27 -0700 

        Just a small correction: the broadcast address is
        (typically) .255, but a bit of experimentation has
        shown that pings to .0 and .255 result in the same
        response.  You would be best to block both.

        Also, assuming that you used the command "tcpdump icmp",
        you should see the echo request being sent to the broadcast
        address.  Of course, as stated previously, the source of
        the echo request can easily be forged.

        Lastly, it seems as though Windows machines don't reply to
        pings to broadcast addresses; *nix machines, however, will.
        This is the likely explaination as to why all the *nix boxes
        were exhibiting this behaviour.

        As Michael Stone stated, broadcast traffic (at least ICMP)
        should be filtered at the router.  Also disabling broadcast
        ICMP on the Linux boxes is a good idea regardless of the
        filtering on the router.

        Hope this helps somewhat.

----------------------------------------------
John Vivian
Exxecom
Network Security Analyst
----------------------------------------------





-----Original Message-----
From: Michael Stone [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 27, 2000 9:46 AM
To: Nuno Faria
Cc: [EMAIL PROTECTED]
Subject: Re: icmp: echo reply? Am I being attacked?


On Thu, Jul 27, 2000 at 01:15:13PM +0100, Nuno Faria wrote:
> Ranko Veselinovic <[EMAIL PROTECTED]> sent me privatly the followin
> e-mail which I think might be relevant for the issue in question:
> _______________________
> I'm not sure but I think when you send an ICMP ECHO-Request to a
> broadcast
> address that the whole network will answer whit echo-replys. 
> I think this is a kind of smurf-attack and the address where the replys
> where sent is the target of the attacker. You were just abuse for this
> attack.

Yes, you've been used as a smurf amplifier. The best course of action is
to not route broadcast addresses. (I.e., packets going to .0 are blocked
at the router.) Another approach is to 
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
on the linux machines. (Try putting it in a startup script.) That will
keep them from replying to broadcast echos.

-- 
Mike Stone


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to