Bugtraq mailing list archives
Re: Router programming,source routes and spoofed ICMP attacks.
From: brian () saturn net (Brian Mitchell)
Date: Thu, 20 Jun 1996 19:23:48 -0400
On Thu, 20 Jun 1996, Alan Brown wrote:
There's been an alarming increase in the incidence of ICMP attacks based around forged host/port unreachable messages recently, particularly on IRC servers as all it takes is one of these paackets to cause client disconnects or even server splits. The culprit is a windows version of that old nasty, nuke.c It's in wide distribution among the warez fraternity as it's a useful tool for them to prevent IRC administrators from working effectively.
No matter, most operating systems should be immune to such things at this point in time.
Apart from IRC, a machine being knocked off its connection by a constant stream of unreachables can then be spoofed for other possibly more serious attacks.
It attacks specific connections, it wont make a machine 'unreachable', it can merely close specific established connections.
A few pointers for routers will help reduce some of the damage. 1: Unless you have a reason not to, set all routers to dump source routed frames. This is the default on some brands, but it isn't on Ciscos (IMHO this is wrong but I'm not Cisco). For Ciscos, once in configuration mode, set "no ip source-route", then exit and write.
I'd say just about anyone who cares at all about security (ie: anyone reading this list) has source routing disabled on their routers, and probably on their individual workstations as well.
2: If you run a vulnerable machine (IRC or other chat server), consider blocking icmp from outside your network from being passed through if it's destined for that server.
Or simply apply suitable patches so it does the correct checks on the validity of the icmp.
Ciscos set to dump source routed IP still pass forged ICMP. Securicor 3net assure me that their routers don't and I have no information on any others.
I don't quite understand this. Source routing and forged icmp have absolutely nothing to do with one another.
These aren't going to help much when it comes to attacks from inside a site's routing cloud but it at least helps cut down on externals...
Most venders have icmp patches, which will help on attacks from the inside.
I have the sourcecode to nuke.c and binaries of wnuke here but I'm not particularly happy with the thought of handing them out for obvious reasons, though they're probably readily available if one looks in the "right" places.
Everyone, and I *do* mean everyone has nuke.c. It is even mentioned in the Cheswick/Bellovin firewall book. Brian Mitchell brian () saturn net Unix Security / Perl / WWW / CGI http://www.saturn.net/~brian "I never give them hell. I just tell the truth and they think it's hell" - H. Truman
Current thread:
- Sendmail 6.x+ holes? Robert A. Boyd (Jun 19)
- Re: Sendmail 6.x+ holes? Alan Brown (Jun 19)
- Re: Sendmail 6.x+ holes? Kari E. Hurtta (Jun 20)
- Re: Sendmail 6.x+ holes? Roland Dobbins (Jun 20)
- Re: Sendmail 6.x+ holes? martinh () mailhost emap co uk (Jun 24)
- Re: Sendmail 6.x+ holes? Henry W. Farkas (Jun 24)
- Re: Sendmail 6.x+ holes? Kari E. Hurtta (Jun 20)
- Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 19)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 22)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 24)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Cyrus Durgin (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Yiorgos Adamopoulos (Jun 21)
- Administratrivia Aleph One (Jun 21)
- Write-only devices (Was read only devices) Paul C Leyland (Jun 21)
- Re: Write-only devices (Was read only devices) Piete Brooks (Jun 21)
- Re: Write-only devices (Was read only devices) [via LSMTP - see Paul C Leyland (Jun 24)
- nuke *Hobbit* (Jun 21)
- Re: nuke Rowan Smith (Jun 24)
- Re: Sendmail 6.x+ holes? Alan Brown (Jun 19)