Re: Router programming,source routes and spoofed ICMP attacks.

[brian () saturn net (Brian Mitchell)]

On Thu, 20 Jun 1996, Alan Brown wrote:

> There's been an alarming increase in the incidence of ICMP attacks based
> around forged host/port unreachable messages recently, particularly on IRC
> servers as all it takes is one of these paackets to cause client
> disconnects or even server splits.
>
> The culprit is a windows version of that old nasty, nuke.c
> It's in wide distribution among the warez fraternity as it's a useful
> tool for them to prevent IRC administrators from working effectively.

No matter, most operating systems should be immune to such things at this
point in time.

> Apart from IRC, a machine being knocked off its connection by a constant
> stream of unreachables can then be spoofed for other possibly more
> serious attacks.

It attacks specific connections, it wont make a machine 'unreachable', it
can merely close specific established connections.

> A few pointers for routers will help reduce some of the damage.
>
> 1: Unless you have a reason not to, set all routers to dump source
>    routed frames. This is the default on some brands, but it isn't
>    on Ciscos (IMHO this is wrong but I'm not Cisco).
>    For Ciscos, once in configuration mode, set "no ip source-route",
>    then exit and write.

I'd say just about anyone who cares at all about security (ie: anyone
reading this list) has source routing disabled on their routers, and
probably on their individual workstations as well.

> 2: If you run a vulnerable machine (IRC or other chat server), consider
>    blocking icmp from outside your network from being passed through if
>    it's destined for that server.

Or simply apply suitable patches so it does the correct checks on the
validity of the icmp.

> Ciscos set to dump source routed IP still pass forged ICMP.
> Securicor 3net assure me that their routers don't and I have no
> information on any others.

I don't quite understand this. Source routing and forged icmp have
absolutely nothing to do with one another.

> These aren't going to help much when it comes to attacks from inside
> a site's routing cloud but it at least helps cut down on externals...

Most venders have icmp patches, which will help on attacks from the inside.

> I have the sourcecode to nuke.c and binaries of wnuke here but I'm not
> particularly happy with the thought of handing them out for obvious
> reasons, though they're probably readily available if one looks in the
> "right" places.

Everyone, and I *do* mean everyone has nuke.c. It is even mentioned in
the Cheswick/Bellovin firewall book.

Brian Mitchell                          brian () saturn net
Unix Security / Perl / WWW / CGI        http://www.saturn.net/~brian
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman